Using PHP's IMAP library triggers Kaspersky's Antivirus

Question

Hello,

I just started today working with PHP's IMAP library, and while imap_fetchbody or imap_body are called, it is triggering my Kaspersky antivirus. The viruses are Trojan.Win32.Agent.dmyq and Trojan.Win32.FraudPack.aoda. I am running this off a local development machine with XAMPP and Kaspersky AV.

Now, I am sure there are viruses there since there is spam in the box (who doesn't need a some viagra or vicodin these days?). And I know that since the raw body includes attachments and different mime-types, bad stuff can be in the body.

So my question is: are there any risks using these libraries?

I am assuming that the IMAP functions are retrieving the body, caching it to disk/memory and the AV scanning it sees the data.

Is that correct? Are there any known security concerns using this library (I couldn't find any)? Does it clean up cached message parts perfectly or might viral files be sitting somewhere?

Is there a better way to get plain text out of the body than this? Right now I am using the following code (credit to Kevin Steffer):

function get_mime_type(&$structure) {
   $primary_mime_type = array("TEXT", "MULTIPART","MESSAGE", "APPLICATION", "AUDIO","IMAGE", "VIDEO", "OTHER");
   if($structure->subtype) {
       return $primary_mime_type[(int) $structure->type] . '/' .$structure->subtype;
   }
       return "TEXT/PLAIN";
}

function get_part($stream, $msg_number, $mime_type, $structure = false, $part_number = false) {

   if(!$structure) {
      $structure = imap_fetchstructure($stream, $msg_number);
   }
   if($structure) {
      if($mime_type == get_mime_type($structure)) {
          if(!$part_number) {
              $part_number = "1";
          }
          $text = imap_fetchbody($stream, $msg_number, $part_number);
          if($structure->encoding == 3) {
              return imap_base64($text);
          } else if($structure->encoding == 4) {
              return imap_qprint($text);
          } else {
              return $text;
          }
      }

      if($structure->type == 1) /* multipart */ {
          while(list($index, $sub_structure) = each($structure->parts)) {
              if($part_number) {
                  $prefix = $part_number . '.';
              }
              $data = get_part($stream, $msg_number, $mime_type, $sub_structure,$prefix .    ($index + 1));
              if($data) {
                 return $data;
              }
          } // END OF WHILE
       } // END OF MULTIPART
   } // END OF STRUTURE
   return false;
} // END OF FUNCTION

$connection = imap_open($server, $login, $password);
$count      = imap_num_msg($connection);
for($i = 1; $i <= $count; $i++) {
   $header  = imap_headerinfo($connection, $i);
   $from    = $header->fromaddress;
   $to      = $header->toaddress;
   $subject = $header->subject;
   $date    = $header->date;
   $body    = get_part($connection, $i, "TEXT/PLAIN");
}

Answer 1

Your guess seems accurate. IMAP itself is fine. What you do with the contents is what's dangerous.

What's dangerous about virus e-mails is that users might open a .exe attachment or something, so bad attachments and potentially evil HTML are what's being checked. As long as your code handling attachments doesn't tell the user to open them and this is just automatic processing or whatever, you're good to go. If you're planning on outputting HTML contents, be sure to use something like HTML Purifier.

Answer 2

The AV is detecting these signatures as they pass through the networking stack, most likely. You should be able to tell the source of the detection from the messages Kaspersky is giving you.