LISTSERV Tech Tip

Q: How can I get information about messages that were blocked for containing a virus?

By Jacob Haller
Senior Support Engineer, L-Soft

LISTSERV integrates with Windows Defender, scanning and intercepting messages that are posted to mailing lists if Windows Defender determines that they contain a virus. It is also possible to configure LISTSERV to use some other anti-virus program or service to scan its incoming mail for viruses.

What follows is some information about how to track down information when you suspect that LISTSERV has flagged a message in this way. Most of it applies regardless of what anti-virus solution you're using, although some of it is specific to Windows Defender.


Determining if a message has been flagged for containing a virus

If a user tells you that they sent a message to a mailing list and it was never distributed, then one possible reason is that the message was flagged as containing a virus.

If the mailing list that they sent the message to has changelogs enabled, then the easiest way to see if this is the case is by going to "List Management" > "List Activity Report", and doing a report on VIRUS activity for a time period containing the date on which the missing message was sent. You may see the following:


2022/09/22 14:25:10     VIRUS     Trojan:Win32/Phonzy.A!ml



If so, you can just report back to the user that their message was flagged as containing the Win32/Phonzy.A!ml trojan (in the above example). However, in some cases LISTSERV might not be able to extract the name of the virus from the information that it received and you will instead see:


2022/09/22 14:25:10     VIRUS     ???



In this case, you have to do a little more digging and look in the anti-virus program's logs for information about what virus was detected. Here is where to look if you are using Windows Defender:


1. On the server that LISTSERV and Windows Defender are installed on, go under the Windows menu to "Windows Administrative Tools" / "Event Viewer".

2. In the left pane of the Event Viewer, expand "Applications and Services Logs", followed by "Microsoft" / "Windows" / "Windows Defender". Double-click on "Operational".

3. A list of Windows Defender events will then come up in reverse chronological order. Scroll down to the date and time of the incident in question. You are looking for entries with "Warning" in the "Level" column. When you find one that looks like it might be related to the incident, then double-click it. You should then see information like this under the "General" tab:


Microsoft Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Script/Wacatac.B!ml&threatid=2147735503&enterprise=0
    Name: Trojan:Script/Wacatac.B!ml
    ID: 2147735503
    Severity: Severe
    Category: Trojan
    Path: file:_C:\LISTSERV\TMP\DO-NOT-RUN-ME-11316-260639.EXE
    Detection Origin: Local machine
    Detection Type: FastPath
    Detection Source: Real-Time Protection
    User: NT AUTHORITY\SYSTEM
    Process Name: C:\LISTSERV\MAIN\LSV.EXE
    Security intelligence Version: AV: 1.375.1061.0, AS: 1.375.1061.0, NIS: 1.375.1061.0
    Engine Version: AM: 1.1.19600.3, NIS: 1.1.19600.3



The things to pay attention to here are:

  • The "Name" line, which tells you the name of the virus that Windows Defender detected.
  • The "Path" line, which should point to the LISTSERV\TMP directory. If you have multiple LISTSERV installations on the same server, then this will also allow you to verify that this entry is for the correct installation.

Above the "Name" line, there is also a link to some information about the virus on the Microsoft website, which you can send to the affected user, along with any other relevant information.


False positives

You may sometimes find that a message is flagged as containing a virus, but the user's own anti-virus software didn't flag it, and, as far as you can tell, the message really does not contain a virus after all. This is known as a "false positive", and this can happen with any anti-virus software.

In this situation, it may be that a later update to the software's anti-virus signatures will include a more specific way to identify the virus, which results in fewer or no false positives. So, if a user reports this to you, and you see that the anti-virus package you're using has had a new update to its signatures since the message was flagged, then you may find that, if the user sends the same message to the mailing list again, it will go through.


Notifications

Customers sometimes ask if users can be notified when LISTSERV flags one of their messages as having a virus.

Unfortunately, this is in general a bad practice. Most emails containing viruses are sent with forged return addresses, so any such notification is likely to either be sent to a bad address, or to someone who is completely unconnected to the message containing the virus.

In either of these cases, this will damage the reputation of your mail server and may increase the chance that future mail from LISTSERV will be flagged as spam.

The result is that, while it would be convenient to be able to notify the user that their message was flagged, in practice this is not something we recommend.



Next Steps










Do you like this type of content? Subscribe to the LISTSERV at Work newsletter.





LISTSERV is a registered trademark licensed to L-Soft international, Inc.

See Guidelines for Proper Usage of the LISTSERV Trademark for more details.

All other trademarks, both marked and unmarked, are the property of their respective owners.


Menu