Test results for clamAV

Ivan Mirisola ivan at NUCCI.COM.BR
Thu Oct 31 15:31:05 GMT 2002 

Yeap...


Matt wrote:

>Are the virus definitions for ClamAV kept up to date?
>
>Matt
>
>----- Original Message -----
>From: "Ivan Mirisola" <ivan at NUCCI.COM.BR>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Wednesday, October 30, 2002 6:31 PM
>Subject: Test results for clamAV
>
>
>  
>
>>Hi all,
>>
>>Can anyone think of other ways to test clamAV anti virus software and
>>help me to help promoting this open source software to a "supported"
>>status by MailScanner?
>>
>>I am including the test results within this e-mail for appreciation by
>>the developers.
>>
>>
>>Best regards,
>>Ivan
>>
>>--------------------------------------------------------------------------
>>    
>>
>----------------------------------------
>  
>
>
>
>----------------------------------------------------------------------------
>----
>
>
>
>1) viruses in zip files
>### False.zip containing False.bat with Klez-Virus
>
>Oct 29 12:26:24 nucci sendmail[27059]: g9TFQNn27059:
>from=<ivan at nucci.com.br>, size=62675, class=0, nrcpts=1,
>msgid=<3DBEA86E.50704 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 12:26:27 nucci MailScanner[24411]: New Batch: Scanning 1 messages,
>63086 bytes
>Oct 29 12:26:27 nucci MailScanner[24411]: Virus and Content Scanning:
>Starting
>Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: clamav found 1
>infections
>Oct 29 12:26:28 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses
>Oct 29 12:26:28 nucci MailScanner[24411]: Saved infected "False.zip" to
>/var/spool/MailScanner/quarantine/20021029/g9TFQNn27059
>Oct 29 12:26:28 nucci MailScanner[24411]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>
>2) viruses in zip files which are themselves within zip files
>### Teste.zip containing False.zip (above)
>
>Oct 29 12:28:23 nucci sendmail[27407]: g9TFSNn27407:
>from=<ivan at nucci.com.br>, size=62855, class=0, nrcpts=1,
>msgid=<3DBEA8E5.8040604 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 12:28:24 nucci MailScanner[24487]: New Batch: Scanning 1 messages,
>63266 bytes
>Oct 29 12:28:24 nucci MailScanner[24487]: Virus and Content Scanning:
>Starting
>Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: clamav found 1
>infections
>Oct 29 12:28:24 nucci MailScanner[24487]: Virus Scanning: Found 1 viruses
>Oct 29 12:28:24 nucci MailScanner[24487]: Saved infected "Teste.ZIP" to
>/var/spool/MailScanner/quarantine/20021029/g9TFSNn27407
>Oct 29 12:28:24 nucci MailScanner[24487]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>
>3) viruses in files whose name starts or ends in a space
>a) ### False.zip containing False.bat with Klez.Virus that begins with
>ALT-0160 (space)
>
>Oct 29 12:56:40 nucci sendmail[31978]: g9TFuen31978:
>from=<ivan at nucci.com.br>, size=62718, class=0, nrcpts=1,
>msgid=<3DBEAF86.7070908 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 12:56:41 nucci MailScanner[24436]: New Batch: Scanning 1 messages,
>63129 bytes
>Oct 29 12:56:42 nucci MailScanner[24436]: Virus and Content Scanning:
>Starting
>Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: clamav found 1
>infections
>Oct 29 12:56:43 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses
>Oct 29 12:56:43 nucci MailScanner[24436]: Saved infected "1" to
>/var/spool/MailScanner/quarantine/20021029/g9TFuen31978
>Oct 29 12:56:43 nucci MailScanner[24436]: Silent: Delivered 1 messages
>containing silent viruses
>
>b) ### False.zip containing False.bat with Klez.Virus that ends with
>ALT-0160 (space)
>
>Oct 29 12:59:35 nucci sendmail[586]: g9TFxZn00586: from=<ivan at nucci.com.br>,
>size=62724, class=0, nrcpts=1, msgid=<3DBEB036.6060909 at nucci.com.br>,
>proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
>Oct 29 12:59:39 nucci MailScanner[24411]: New Batch: Scanning 1 messages,
>63135 bytes
>Oct 29 12:59:39 nucci MailScanner[24411]: Virus and Content Scanning:
>Starting
>Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: clamav found 1
>infections
>Oct 29 12:59:41 nucci MailScanner[24411]: Virus Scanning: Found 1 viruses
>Oct 29 12:59:41 nucci MailScanner[24411]: Saved infected "1" to
>/var/spool/MailScanner/quarantine/20021029/g9TFxZn00586
>Oct 29 12:59:41 nucci MailScanner[24411]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>4) viruses in zip files where either/both of the name of the infected file
>or the zip file start or end in a space
>
>a) ### Start.zip containing False.bat with Klez.Virus. Compressed file
>begins with ALT-0160 (space)
>
>Oct 29 13:06:25 nucci sendmail[2276]: g9TG6Ln02276:
>from=<ivan at nucci.com.br>, size=62544, class=0, nrcpts=1,
>msgid=<3DBEB1CB.1000804 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 13:06:28 nucci MailScanner[24436]: New Batch: Scanning 2 messages,
>86314 bytes
>Oct 29 13:06:29 nucci MailScanner[24436]: Virus and Content Scanning:
>Starting
>Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: clamav found 1
>infections
>Oct 29 13:06:30 nucci MailScanner[24436]: Virus Scanning: Found 1 viruses
>Oct 29 13:06:30 nucci MailScanner[24436]: Saved infected "start.zip" to
>/var/spool/MailScanner/quarantine/20021029/g9TG6Ln02276
>Oct 29 13:06:31 nucci MailScanner[24436]: Uninfected: Delivered 1 messages
>Oct 29 13:06:31 nucci MailScanner[24436]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>b) ### End.zip containing False.bat with Klez.Virus. Compressed file ends
>with ALT-0160 (space)
>
>Oct 29 13:08:35 nucci sendmail[2537]: g9TG8Yn02537:
>from=<ivan at nucci.com.br>, size=62540, class=0, nrcpts=1,
>msgid=<3DBEB251.9060207 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 13:08:39 nucci MailScanner[24504]: New Batch: Scanning 1 messages,
>62951 bytes
>Oct 29 13:08:39 nucci MailScanner[24504]: Virus and Content Scanning:
>Starting
>Oct 29 13:08:40 nucci MailScanner[24504]: Virus Scanning: clamav found 1
>infections
>Oct 29 13:08:41 nucci MailScanner[24504]: Virus Scanning: Found 1 viruses
>Oct 29 13:08:41 nucci MailScanner[24504]: Saved infected "end.zip" to
>/var/spool/MailScanner/quarantine/20021029/g9TG8Yn02537
>Oct 29 13:08:41 nucci MailScanner[24504]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>5) viruses in files with various nasty filenames (strange characters,
>non-English characters, etc.)
>
>a) ### São.zip containing False.bat with Klez.virus and zip naming contains
>latin (brazilian) characters
>
>Oct 29 17:01:00 nucci sendmail[1098]: g9TK0xa01098:
>from=<ivan at nucci.com.br>, size=62571, class=0, nrcpts=1,
>msgid=<3DBEE8CA.8060607 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 17:01:01 nucci MailScanner[928]: New Batch: Scanning 1 messages,
>62981 bytes
>Oct 29 17:01:01 nucci MailScanner[928]: Virus and Content Scanning: Starting
>Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: clamav found 1
>infections
>Oct 29 17:01:03 nucci MailScanner[928]: Virus Scanning: Found 1 viruses
>Oct 29 17:01:03 nucci MailScanner[928]: Saved infected "1" to
>/var/spool/MailScanner/quarantine/20021029/g9TK0xa01098
>Oct 29 17:01:03 nucci MailScanner[928]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>b) ### 1º.zip containing False.bat with Klez.virus and zip naming contains
>latin (brazilian) characters
>
>Oct 29 17:06:19 nucci sendmail[1963]: g9TK6Ia01963: from=<ivan at nucci.com.br>
>, size=62569, class=0, nrcpts=1, msgid=<3DBEEA0A.8000901 at nucci.com.br>,
>proto=ESMTP, daemon=MTA, relay=[192.168.2.4]
>Oct 29 17:06:19 nucci MailScanner[946]: New Batch: Scanning 1 messages,
>62979 bytes
>Oct 29 17:06:20 nucci MailScanner[946]: Virus and Content Scanning: Starting
>Oct 29 17:06:20 nucci MailScanner[946]: Virus Scanning: clamav found 1
>infections
>Oct 29 17:06:21 nucci MailScanner[946]: Virus Scanning: Found 1 viruses
>Oct 29 17:06:21 nucci MailScanner[946]: Saved infected "1" to
>/var/spool/MailScanner/quarantine/20021029/g9TK6Ia01963
>Oct 29 17:06:21 nucci MailScanner[946]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>c) ### ¬½¼¡«»¦¦¦¦¦¿®.zip containing False.bat with Klez.virus and zip naming
>contains strange characters from
>
>Oct 29 17:11:27 nucci sendmail[2619]: g9TKBRa02619:
>from=<ivan at nucci.com.br>, size=62639, class=0, nrcpts=1,
>msgid=<3DBEEB3E.1090701 at nucci.com.br>, proto=ESMTP, daemon=MTA,
>relay=[192.168.2.4]
>Oct 29 17:11:28 nucci sendmail[2622]: g9TK8ta02375:
>to=<contrato.bel at tecnocargonet.com.br>, delay=00:02:33, xdelay=00:00:00,
>mailer=virtual, pri=121884, relay=tecnocargonet.com.br, dsn=2.0.0, stat=Sent
>Oct 29 17:11:29 nucci MailScanner[928]: New Batch: Scanning 1 messages,
>63049 bytes
>Oct 29 17:11:29 nucci MailScanner[928]: Virus and Content Scanning: Starting
>Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: clamav found 1
>infections
>Oct 29 17:11:30 nucci MailScanner[928]: Virus Scanning: Found 1 viruses
>Oct 29 17:11:30 nucci MailScanner[928]: Saved infected "1" to
>/var/spool/MailScanner/quarantine/20021029/g9TKBRa02619
>Oct 29 17:11:30 nucci MailScanner[928]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>OBS: The return mail doesn't say the right name used in the attachment. It
>says:
><--------The original e-mail attachment "1"-------->
>
>6) Viruses in forwarded e-mail of type (*.eml) with <IFRAME> from
>MS-Outlook[Express]
>
>Oct 29 17:50:39 nucci sendmail[11036]: g9TKoca11036:
>from=<ivan at nucci.com.br>, size=146925, class=0, nrcpts=1,
>msgid=<001001c27f8d$b0cfcd40$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA,
>relay=[192.168.2.2]
>Oct 29 17:50:39 nucci MailScanner[902]: New Batch: Scanning 1 messages,
>147321 bytes
>Oct 29 17:50:40 nucci MailScanner[902]: Virus and Content Scanning: Starting
>Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: clamav found 1
>infections
>Oct 29 17:50:41 nucci MailScanner[902]: Virus Scanning: Found 1 viruses
>Oct 29 17:50:41 nucci MailScanner[902]: Filename Checks: Possible malicious
>batch file script (False.bat)
>Oct 29 17:50:41 nucci MailScanner[902]: Other Checks: Found 1 problems
>Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Detected
>Microsoft-specific exploits in g9TKoca11036
>Oct 29 17:50:41 nucci MailScanner[902]: Content Checks: Found 1 problems
>Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "False.bat" to
>/var/spool/MailScanner/quarantine/20021029/g9TKoca11036
>Oct 29 17:50:41 nucci MailScanner[902]: Saved infected "msg-902-36.html" to
>/var/spool/MailScanner/quarantine/20021029/g9TKoca11036
>Oct 29 17:50:41 nucci MailScanner[902]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>
>7) Viruses within ZIP file attached to e-mail of type (*.eml) from
>MS-Outlook[Express] that was forwarded
>
>Oct 30 21:25:09 nucci sendmail[14519]: g9V0P9P14519:
>from=<ivan at nucci.com.br>, size=64681, class=0, nrcpts=1,
>msgid=<002301c28074$e063e540$0202a8c0 at nucci.com.br>, proto=SMTP, daemon=MTA,
>relay=[192.168.2.2]
>Oct 30 21:25:12 nucci MailScanner[14255]: New Batch: Scanning 1 messages,
>65076 bytes
>Oct 30 21:25:12 nucci MailScanner[14255]: Virus and Content Scanning:
>Starting
>Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: clamav found 1
>infections
>Oct 30 21:25:13 nucci MailScanner[14255]: Virus Scanning: Found 1 viruses
>Oct 30 21:25:13 nucci MailScanner[14255]: Saved infected "False.zip" to
>/var/spool/MailScanner/quarantine/20021030/g9V0P9P14519
>Oct 30 21:25:13 nucci MailScanner[14255]: Silent: Delivered 1 messages
>containing silent viruses
>
>->>> Returns to sender notice about e-mail containing a virus
>  
>

More information about the MailScanner mailing list