[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Notice: in file [ROOT]/includes/session.php on line 2208: Array to string conversion
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4688: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4690: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4691: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
[phpBB Debug] PHP Warning: in file [ROOT]/includes/functions.php on line 4692: Cannot modify header information - headers already sent by (output started at [ROOT]/includes/functions.php:3823)
Poco Forums • View topic - Anti Virus software and broken index files

Anti Virus software and broken index files

Help and advice on using PocoMail

Moderators: Eric, Tomas, robin

Anti Virus software and broken index files

Postby frazmi » Fri Jul 30, 2004 4:42 am

Norton AntiVirus (and perhaps other AV programs) seem to have a severe problem interacting with Poco. This probably can't be classified as a bug in either Poco or NAV.

Scenario:
Message arrives with embedded attachment, which contains a virus. For some reason (Symantec will not respond on this) the virus is not caught during the incoming AV email scanning. Thus, Poco receives the virus-laden message, and then Poco writes the message to the .mbx file with a virus included.

Some time later, the unsuspecting user runs a full system scan, with the option set to look inside of ZIP files, etc. -- i.e., maximum security levels. On this scan, NAV finds the virus that it previously missed, and "cleans" the mbx file.

I don't know exactly how NAV "cleans" a file. However, after cleaning there are a lot of new hex characters in the message that contained the virus. I suspect that NAV has somehow No-Oped the viral code in an attempt to keep the original pre-viral version of the file. Be that as it may, the key point is that the "cleaned" file does not have the same file length as the pre-cleaned file.

This means that start-of-message pointers in the idx file can be pointing to the wrong place in the mailbox file.

I have done the following several times with identical results:

Code: Select all
Take a mbx file known to contain a virus.
Start Poco, look at the mailbox and note the number of messages.
Close Poco, run NAV
NAV tells me the file has been cleaned.
Run Poco, look at the mailbox...
---- Many messages will be missing.
---- Some messages will have blank message bodies.
---- Some messages will show content from other messages
Move some "problem" messages.
Run Compress Mailbox.
"Lost" messages reappear in the index pane. However, some messages (perhaps 2-5%) still have garbled message bodies. That is, the message body from one email will appear in the preview pane for a totally different message.

Examination of the mbx file reveals that the incorrect message body is within a few hundred lines of the actual message, which is one that contained a virus that NAV cleaned.

BTW, I'm looking at the mbx file with a hex editor, not Poco.

And finally, I lost all my virus-infected samples due to operator error -- I inadvertently ran my scenario on the "virus safe" instead of the "virus sandbox" and thus wiped my test-bed. Hopefully someone can duplicate this scenario.
frazmi
Poco Enthusiast
 
Posts: 248
Joined: Tue Jul 27, 2004 1:27 am
Location: South Korea

Postby frazmi » Sat Aug 14, 2004 2:12 am

I'd like to suggest the following test for those who still do not believe that an antivirus program can corrupt the mbx file, at least under certain conditions.

Before going any further, let me issue a correction and two disclaimers.

Correction: Sandy has pointed out in another thread that my original idea that the idx file was being corrupted is not valid. I think he's right. I now believe that Poco makes an in-memory index at startup. Editing the mbx file without Poco's knowledge naturally causes the pointers in the in-memory index to be in error.

First disclaimer: I'm not claiming a "bug" in Poco. My whole point is to show one possible interaction between a program like NAV and Poco which can disrupt the message files.

Second disclaimer: Please do this on a copy of your Poco installation. Do not do it on your main copy. This procedure intentionally corrupts the mailbox files.

The following test was done on a version 1880 system, completely clean install.

Step 1: Compose 3 test messages and send them to yourself. (I think 2 messages will also fail this way, but I have not checked that scenario.)

Step 2: While Poco is running, open In.mbx with a text editor. Find the message text of the first test message. Add many characters in the middle of the message (around 100 or so). Save the file.

Step 3: Close Poco. (I used the [x] windows button, not File Exit)

Step 4: Restart Poco. The display of the first message will be incorrect. It won't show the original text, nor will it show the inserted text. What shows seems somewhat varied, but in all of my testing, it's some truncated version of the edited text.

Step 5: Create a new folder and move the corrumpted message to that folder..

Step 6: Compress all mailboxes.

At this point, the first test message is permanently corrupted. Some of the inserted text will be missing, and some of the original text also will be missing. If you open the mbx file with a text editor you will find that the mbx file accurately reflects what's shown in the preview pane.

However, if you turn on all headers, you may notice some really strange headers before the "From" header. This does not always happen -- I don't have a pattern yet, but am working on it.

I believe that this scenario proves that a program like NAV, if allowed to run concurrently with Poco, will corrupt the mailbox file if it "cleans" a virus from a message.
frazmi
Poco Enthusiast
 
Posts: 248
Joined: Tue Jul 27, 2004 1:27 am
Location: South Korea


Return to PocoMail Help and How-To

Who is online

Users browsing this forum: No registered users and 1 guest

cron