Test results for clamAV

Ivan Mirisola ivan at NUCCI.COM.BR
Thu Oct 31 00:31:55 GMT 2002


Hi all,

Can anyone think of other ways to test clamAV anti virus software and
help me to help promoting this open source software to a "supported"
status by MailScanner?

I am including the test results within this e-mail for appreciation by
the developers.


Best regards,
Ivan

------------------------------------------------------------------------------------------------------------------
-------------- next part --------------

1) viruses in zip files
### False.zip containing False.bat with Klez-Virus

Oct 29 12:26:24 nucci sendmail[27059]: g9TFQNn27059: from=<ivan at nucci.com.br>, size=62675, class=0, nrcpts=1, msgid=<3DBEA86E.50704 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 12:26:27 nucci MailScanner[24411]: New Batch: Scanning 1 messages, 63086 bytes 
Oct 29 12:26:27 nucci MailScanner[24411]: Virus and Content Scanning: Starting 
Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: clamav found 1 infections 
Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses 
Oct 29 12:26:28 nucci MailScanner[24411]: Saved infected "False.zip" to /var/spool/MailScanner/quarantine/20021029/g9TFQNn27059 
Oct 29 12:26:28 nucci MailScanner[24411]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus 

2) viruses in zip files which are themselves within zip files
### Teste.zip containing False.zip (above)

Oct 29 12:28:23 nucci sendmail[27407]: g9TFSNn27407: from=<ivan at nucci.com.br>, size=62855, class=0, nrcpts=1, msgid=<3DBEA8E5.8040604 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 12:28:24 nucci MailScanner[24487]: New Batch: Scanning 1 messages, 63266 bytes 
Oct 29 12:28:24 nucci MailScanner[24487]: Virus and Content Scanning: Starting 
Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: clamav found 1 infections 
Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: Found 1 viruses 
Oct 29 12:28:24 nucci MailScanner[24487]: Saved infected "Teste.ZIP" to /var/spool/MailScanner/quarantine/20021029/g9TFSNn27407 
Oct 29 12:28:24 nucci MailScanner[24487]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus 

3) viruses in files whose name starts or ends in a space
a) ### False.zip containing False.bat with Klez.Virus that begins with ALT-0160 (space)

Oct 29 12:56:40 nucci sendmail[31978]: g9TFuen31978: from=<ivan at nucci.com.br>, size=62718, class=0, nrcpts=1, msgid=<3DBEAF86.7070908 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 12:56:41 nucci MailScanner[24436]: New Batch: Scanning 1 messages, 63129 bytes 
Oct 29 12:56:42 nucci MailScanner[24436]: Virus and Content Scanning: Starting 
Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: clamav found 1 infections 
Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses 
Oct 29 12:56:43 nucci MailScanner[24436]: Saved infected "1" to /var/spool/MailScanner/quarantine/20021029/g9TFuen31978 
Oct 29 12:56:43 nucci MailScanner[24436]: Silent: Delivered 1 messages containing silent viruses

b) ### False.zip containing False.bat with Klez.Virus that ends with ALT-0160 (space)

Oct 29 12:59:35 nucci sendmail[586]: g9TFxZn00586: from=<ivan at nucci.com.br>, size=62724, class=0, nrcpts=1, msgid=<3DBEB036.6060909 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 12:59:39 nucci MailScanner[24411]: New Batch: Scanning 1 messages, 63135 bytes 
Oct 29 12:59:39 nucci MailScanner[24411]: Virus and Content Scanning: Starting 
Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: clamav found 1 infections 
Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses 
Oct 29 12:59:41 nucci MailScanner[24411]: Saved infected "1" to /var/spool/MailScanner/quarantine/20021029/g9TFxZn00586 
Oct 29 12:59:41 nucci MailScanner[24411]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

4) viruses in zip files where either/both of the name of the infected file or the zip file start or end in a space

a) ### Start.zip containing False.bat with Klez.Virus. Compressed file begins with ALT-0160 (space)

Oct 29 13:06:25 nucci sendmail[2276]: g9TG6Ln02276: from=<ivan at nucci.com.br>, size=62544, class=0, nrcpts=1, msgid=<3DBEB1CB.1000804 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 13:06:28 nucci MailScanner[24436]: New Batch: Scanning 2 messages, 86314 bytes 
Oct 29 13:06:29 nucci MailScanner[24436]: Virus and Content Scanning: Starting 
Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: clamav found 1 infections 
Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses 
Oct 29 13:06:30 nucci MailScanner[24436]: Saved infected "start.zip" to /var/spool/MailScanner/quarantine/20021029/g9TG6Ln02276 
Oct 29 13:06:31 nucci MailScanner[24436]: Uninfected: Delivered 1 messages 
Oct 29 13:06:31 nucci MailScanner[24436]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus 
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

b) ### End.zip containing False.bat with Klez.Virus. Compressed file ends with ALT-0160 (space)

Oct 29 13:08:35 nucci sendmail[2537]: g9TG8Yn02537: from=<ivan at nucci.com.br>, size=62540, class=0, nrcpts=1, msgid=<3DBEB251.9060207 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 13:08:39 nucci MailScanner[24504]: New Batch: Scanning 1 messages, 62951 bytes 
Oct 29 13:08:39 nucci MailScanner[24504]: Virus and Content Scanning: Starting 
Oct 29 13:08:40 nucci MailScanner[24504]: Virus Scanning: clamav found 1 infections 
Oct 29 13:08:41 nucci MailScanner[24504]: Virus Scanning: Found 1 viruses 
Oct 29 13:08:41 nucci MailScanner[24504]: Saved infected "end.zip" to /var/spool/MailScanner/quarantine/20021029/g9TG8Yn02537 
Oct 29 13:08:41 nucci MailScanner[24504]: Silent: Delivered 1 messages containing silent viruses 

->>> Returns to sender notice about e-mail containing a virus 
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

5) viruses in files with various nasty filenames (strange characters, non-English characters, etc.)

a) ### São.zip containing False.bat with Klez.virus and zip naming contains latin (brazilian) characters

Oct 29 17:01:00 nucci sendmail[1098]: g9TK0xa01098: from=<ivan at nucci.com.br>, size=62571, class=0, nrcpts=1, msgid=<3DBEE8CA.8060607 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 17:01:01 nucci MailScanner[928]: New Batch: Scanning 1 messages, 62981 bytes 
Oct 29 17:01:01 nucci MailScanner[928]: Virus and Content Scanning: Starting 
Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: clamav found 1 infections 
Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: Found 1 viruses 
Oct 29 17:01:03 nucci MailScanner[928]: Saved infected "1" to /var/spool/MailScanner/quarantine/20021029/g9TK0xa01098 
Oct 29 17:01:03 nucci MailScanner[928]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus 
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

b) ### 1º.zip containing False.bat with Klez.virus and zip naming contains latin (brazilian) characters

Oct 29 17:06:19 nucci sendmail[1963]: g9TK6Ia01963: from=<ivan at nucci.com.br>, size=62569, class=0, nrcpts=1, msgid=<3DBEEA0A.8000901 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 17:06:19 nucci MailScanner[946]: New Batch: Scanning 1 messages, 62979 bytes 
Oct 29 17:06:20 nucci MailScanner[946]: Virus and Content Scanning: Starting 
Oct 29 17:06:20 nucci MailScanner[946]: Virus Scanning: clamav found 1 infections 
Oct 29 17:06:21 nucci MailScanner[946]: Virus Scanning: Found 1 viruses 
Oct 29 17:06:21 nucci MailScanner[946]: Saved infected "1" to /var/spool/MailScanner/quarantine/20021029/g9TK6Ia01963 
Oct 29 17:06:21 nucci MailScanner[946]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus 
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

c) ### ¬½¼¡«»¦¦¦¦¦¿®.zip containing False.bat with Klez.virus and zip naming contains strange characters from 

Oct 29 17:11:27 nucci sendmail[2619]: g9TKBRa02619: from=<ivan at nucci.com.br>, size=62639, class=0, nrcpts=1, msgid=<3DBEEB3E.1090701 at nucci.com.br>, proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
Oct 29 17:11:28 nucci sendmail[2622]: g9TK8ta02375: to=<contrato.bel at tecnocargonet.com.br>, delay=00:02:33, xdelay=00:00:00, mailer=virtual, pri=121884, relay=tecnocargonet.com.br, dsn=2.0.0, stat=Sent
Oct 29 17:11:29 nucci MailScanner[928]: New Batch: Scanning 1 messages, 63049 bytes 
Oct 29 17:11:29 nucci MailScanner[928]: Virus and Content Scanning: Starting 
Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: clamav found 1 infections 
Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: Found 1 viruses 
Oct 29 17:11:30 nucci MailScanner[928]: Saved infected "1" to /var/spool/MailScanner/quarantine/20021029/g9TKBRa02619 
Oct 29 17:11:30 nucci MailScanner[928]: Silent: Delivered 1 messages containing silent viruses 

->>> Returns to sender notice about e-mail containing a virus 
OBS: The return mail doesn't say the right name used in the attachment. It says:
<--------The original e-mail attachment "1"-------->

6) Viruses in forwarded e-mail of type (*.eml) with <IFRAME> from MS-Outlook[Express]

Oct 29 17:50:39 nucci sendmail[11036]: g9TKoca11036: from=<ivan at nucci.com.br>, size=146925, class=0, nrcpts=1, msgid=<001001c27f8d$b0cfcd40$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA, relay=[192.168.2.2]
Oct 29 17:50:39 nucci MailScanner[902]: New Batch: Scanning 1 messages, 147321 bytes 
Oct 29 17:50:40 nucci MailScanner[902]: Virus and Content Scanning: Starting 
Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: clamav found 1 infections 
Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: Found 1 viruses 
Oct 29 17:50:41 nucci MailScanner[902]: Filename Checks: Possible malicious batch file script (False.bat) 
Oct 29 17:50:41 nucci MailScanner[902]: Other Checks: Found 1 problems 
Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Detected Microsoft-specific exploits in g9TKoca11036 
Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Found 1 problems 
Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "False.bat" to /var/spool/MailScanner/quarantine/20021029/g9TKoca11036 
Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "msg-902-36.html" to /var/spool/MailScanner/quarantine/20021029/g9TKoca11036 
Oct 29 17:50:41 nucci MailScanner[902]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus

7) Viruses within ZIP file attached to e-mail of type (*.eml) from MS-Outlook[Express] that was forwarded

Oct 30 21:25:09 nucci sendmail[14519]: g9V0P9P14519: from=<ivan at nucci.com.br>, size=64681, class=0, nrcpts=1, msgid=<002301c28074$e063e540$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA, relay=[192.168.2.2]
Oct 30 21:25:12 nucci MailScanner[14255]: New Batch: Scanning 1 messages, 65076 bytes 
Oct 30 21:25:12 nucci MailScanner[14255]: Virus and Content Scanning: Starting 
Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: clamav found 1 infections 
Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: Found 1 viruses 
Oct 30 21:25:13 nucci MailScanner[14255]: Saved infected "False.zip" to /var/spool/MailScanner/quarantine/20021030/g9V0P9P14519 
Oct 30 21:25:13 nucci MailScanner[14255]: Silent: Delivered 1 messages containing silent viruses

->>> Returns to sender notice about e-mail containing a virus


More information about the MailScanner mailing list