ClamAV - New Test Results

Ivan Mirisola ivan at NUCCI.COM.BR
Wed Nov 6 19:34:45 GMT 2002


Hi All,

I have performed new tests with some famous viruses found on vx.netlux.org.
Only Melissa failed to be discovered by clamAV. I don't know why. The
virus is found on a "visual basic for ms-word" format and had to be
included in a document. Maybe clamAV is trying to find the original file
that contaned the virus but this must be a wrong doing. My AVG Free
Edition does check the document generated and is able to see that there
is a virus within.

Any thoughts, I'll be glad to hear.

Sincerely,
Ivan

------------------------------Love Letter
Test------------------------------------
Nov 6 17:27:36 nucci sendmail[17092]: gA6KRZp17092:
from=<jehad at nucci.com.br>, size=11995, class=0, nrcpts=1,
msgid=<002d01c285d3$77256bd0$0502a8c0 at C5>, proto=SMTP, Nov 6 17:27:37
nucci MailScanner[10818]: New Batch: Scanning 1 messages, 12402 bytes
Nov 6 17:27:37 nucci MailScanner[10818]: Virus and Content Scanning:
Starting
Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: clamav found 1
infections
Nov 6 17:27:38 nucci MailScanner[10818]: Virus Scanning: Found 1 viruses
Nov 6 17:27:38 nucci MailScanner[10818]: Filename Checks: Possible
Microsoft Visual Basic script attack (I-Worm.LoveLetter.vbs)
Nov 6 17:27:38 nucci MailScanner[10818]: Other Checks: Found 1 problems
Nov 6 17:27:38 nucci MailScanner[10818]: Saved infected
"I-Worm.LoveLetter.vbs" to
/var/spool/MailScanner/quarantine/20021106/gA6KRZp17092
Nov 6 17:27:38 nucci MailScanner[10818]: Cleaned: Delivered 1 cleaned
messages
------------------------------Love Letter
Test------------------------------------

------------------------------Prety Park
Test-------------------------------------
Nov 6 17:25:37 nucci sendmail[15773]: gA6KPap15773:
from=<ivan at nucci.com.br>, size=52034, class=0, nrcpts=1,
msgid=<002301c285d3$30265f50$0502a8c0 at C5>, proto=SMTP Nov 6 17:25:40
nucci MailScanner[4547]: New Batch: Scanning 1 messages, 52441 bytes
Nov 6 17:25:40 nucci MailScanner[4547]: Virus and Content Scanning:
Starting
Nov 6 17:25:41 nucci MailScanner[4547]: Filename Checks: Possible virus
hidden in a screensaver (I-Worm.PrettyPark.scr)
Nov 6 17:25:41 nucci MailScanner[4547]: Other Checks: Found 1 problems
Nov 6 17:25:41 nucci MailScanner[4547]: Saved infected
"I-Worm.PrettyPark.scr" to
/var/spool/MailScanner/quarantine/20021106/gA6KPap15773
Nov 6 17:25:41 nucci MailScanner[4547]: Cleaned: Delivered 1 cleaned
messages
------------------------------Prety Park
Test-------------------------------------

--------------------------------Magister
Test-------------------------------------
Nov 6 17:23:34 nucci sendmail[15225]: gA6KNXp15225:
from=<ivan at nucci.com.br>, size=85924, class=0, nrcpts=1,
msgid=<001901c285d2$e6e5ee50$0502a8c0 at C5>, proto=SMTP
Nov 6 17:23:35 nucci MailScanner[4152]: New Batch: Scanning 1 messages,
86332 bytes
Nov 6 17:23:35 nucci MailScanner[4152]: Virus and Content Scanning:
Starting
Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: clamav found 1
infections
Nov 6 17:23:37 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses
Nov 6 17:23:37 nucci MailScanner[4152]: Filename Checks: Possible virus
hidden in a screensaver (I-Worm.Magistr.b.scr)
Nov 6 17:23:37 nucci MailScanner[4152]: Other Checks: Found 1 problems
Nov 6 17:23:37 nucci MailScanner[4152]: Saved infected
"I-Worm.Magistr.b.scr" to
/var/spool/MailScanner/quarantine/20021106/gA6KNXp15225
Nov 6 17:23:37 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned
messages
--------------------------------Magister
Test-------------------------------------

------------------------------Nimda
Test------------------------------------------

Nov 6 17:21:07 nucci sendmail[14736]: gA6KL7p14736:
from=<ivan at nucci.com.br>, size=2947, class=0, nrcpts=1,
msgid=<000d01c285d2$8f8f1320$0502a8c0 at C5>, proto=SMTP
Nov 6 17:21:07 nucci MailScanner[4152]: New Batch: Scanning 1 messages,
3354 bytes
Nov 6 17:21:07 nucci MailScanner[4152]: Virus and Content Scanning:
Starting
Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: clamav found 1
infections
Nov 6 17:21:08 nucci MailScanner[4152]: Virus Scanning: Found 1 viruses
Nov 6 17:21:08 nucci MailScanner[4152]: Saved infected
"I-Worm.Nimda.html" to
/var/spool/MailScanner/quarantine/20021106/gA6KL7p14736
Nov 6 17:21:08 nucci MailScanner[4152]: Cleaned: Delivered 1 cleaned
messages
------------------------------Nimda
Test------------------------------------------

Ivan Mirisola wrote:

> Dear Mr. Gavin,
>
> I tested the same virus on vx.netlux.org with clamAV 0.51 and it also
> failed to discover. I have reported this issue to clamAV's site and hope
> to see some fix very soon.
>
> -----------------------------------------------------------------------------------
>
> Nov 6 16:55:48 nucci sendmail[9060]: gA6Jtlp09060:
> from=<ivan at nucci.com.br>, size=44395, class=0, nrcpts=1,
> msgid=<000d01c285cf$05c31270$0502a8c0 at C5>, proto=SMTP, daemon=MTA, Nov
> 6 16:55:48 nucci MailScanner[9358]: New Batch: Scanning 1 messages,
> 44802 bytes
> Nov 6 16:55:50 nucci MailScanner[9358]: Virus and Content Scanning:
> Starting
> Nov 6 16:55:50 nucci MailScanner[9358]: Uninfected: Delivered 1 messages
> -----------------------------------------------------------------------------------
>
>
> Thanks again,
> Ivan
>
>
> Gavin Nelmes-Crocker wrote:
>
>> I know its currently unsupported in code status by mailscanner and this
>> doesn't technically alter that but beware if you are planning to use
>> it on a
>> production box with no other scanners.
>>
>> My findings so far with regard to virus detecting is poor we have pushed
>> several real virii through it and it hasn't detected them when
>> f-prot,sophos
>> and kaspersky all have and I'm not talking new ones here one of the
>> ones we
>> are playing with is Melissa which is 2 years old. We have up to date
>> virus
>> definitions for Clamav and it is working as it detects its own test
>> file but
>> not some of the others that I would expect it to.
>>
>> Regards
>>
>> Gavin
>>
>>



More information about the MailScanner mailing list