Virus on SLES10 repo?

Hi,
For the past couple of weeks while I was on leave, I’ve been getting the following in my SMT mirror report:
[INDENT]Mirroring: https://nu.novell.com/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/
Target: /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/repomd.xml
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/primary.xml.gz
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/filelists.xml.gz
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/other.xml.gz
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/patterns.xml
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/susedata.xml.gz
File not found /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/repodata/repomd.xml
Finished downloading and parsing the metadata, going to download the rest of the files…
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/repomd.xml.asc
D /srv/www/htdocs/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/.repodata/repomd.xml.key
[COLOR="#008000"]E ‘https://nu.novell.com/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/rpm/x86_64/amavisd-new-2.3.3-17.2.x86_64.rpm’: 403 VirusFound[/COLOR]
=> Finished mirroring ‘https://nu.novell.com/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/
=> Total files : 9
=> Total transferred files : 8[/INDENT]

Since it’s a 403 error and our SMT server doesn’t have any anti-virus software running on it, it looks as if the Novell server has detected a virus and deleted the rpm file. Seems rather odd to me - anyone else seen this issue?

Cheers,
Ian

Hi Ian,

[COLOR=#008000]E ‘https://nu.novell.com/repo/$RCE/SLES10-SP4-Pool/sles-10-x86_64/rpm/x86_64/amavisd-new-2.3.3-17.2.x86_64.rpm’: 403 VirusFound

[/COLOR]I cannot confirm - requesting that file via browser (while being logged in) results in a successful download, a virus scan doesn’t report an infection:

[CODE]myhost:/tmp # clamscan amavisd-new-2.3.3-17.2.x86_64.rpm
amavisd-new-2.3.3-17.2.x86_64.rpm: OK

----------- SCAN SUMMARY -----------
Known viruses: 3726572
Engine version: 0.98.5
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.43 MB
Data read: 0.43 MB (ratio 1.01:1)
Time: 10.885 sec (0 m 10 s)
myhost:/tmp # rpm -qip amavisd-new-2.3.3-17.2.x86_64.rpm
Name : amavisd-new
Version : 2.3.3
Release : 17.2
Architecture: x86_64
Install Date: (not installed)
Group : Productivity/Networking/Security
Size : 1713045
License : GPL
Signature : DSA/SHA1, Fri Jun 16 20:29:54 2006, Key ID a84edae89c800aca
Source RPM : amavisd-new-2.3.3-17.2.src.rpm
Build Date : Fri Jun 16 20:00:57 2006
Build Host : stravinsky.suse.de
Relocations : (not relocatable)
Packager : http://bugs.opensuse.org
Vendor : SUSE LINUX Products GmbH, Nuernberg, Germany
URL : amavisd-new
Summary : High-Performance E-Mail Virus Scanner
Description :
Amavisd-new is a high-performance interface between mailer (MTA) and
content checkers: virus scanners or SpamAssassin. It talks to the MTA
via (E)SMTP, LMTP, or by using helper programs. It works with the
following MTAs:

  • postfix

  • sendmail (sendmail-milter)

  • exim

Authors:

Mark Martinec <mark.martinec@ijs.si>

Distribution: SUSE Linux Enterprise 10 (X86-64)
myhost:/tmp #[/CODE]

Regards,
Jens

PS: This is through a proxy, though.

Hi Jens,

Good thing you said that - I forgot that the proxy server we go through has a virus checker on it! When I access the file in a web browser, the proxy says “Virus Name: McAfeeGW: EICAR test file”, so that’s the issue. Unfortunately we don’t have access to unblock things on the proxy or virus scanner, so I’ll just have to download the file at home and copy it onto the SMT server.
Thanks for reminding me about the proxy!

Cheers,
Ian

Hi Ian,

[QUOTE=imoore;25791]Hi Jens,

Good thing you said that - I forgot that the proxy server we go through has a virus checker on it! When I access the file in a web browser, the proxy says “Virus Name: McAfeeGW: EICAR test file”, so that’s the issue.[/QUOTE]

Now that’s strange - EICAR is a general virus scanner test case (see http://en.wikipedia.org/wiki/EICAR_test_file), which points to some strange configuration of the proxy server and/or its scanner access… maybe someone’s testing the scanner feature for certain files (or file types)?

In this specific case, this seems a letigimate way to go - but from an IT security point of view, bypassing the virus scanner is definitely a no-go :wink: I strongly recommend to escalate this EICAR response to those in charge of the proxy server.

Regards,
Jens