Which AV is right :) ?
Jay Ehrhart
yoloits at ycoe.org
Thu Aug 12 17:44:48 IST 2004
<x-html>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1458" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV>I have found just the opposite. I run Calmav and F-prot both check
for updates every hour. Clamav frequently finds viruses that F-prot hasn't
been updated to see. For example:</DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>MessageID: i79K0kEA006340<BR>
Report: ClamAV: price_new.zip contains Trojan.JS.RunMe
<BR> ClamAV:
price.exe contains Worm.Bagle.AI
<BR>
MailScanner: Executable DOS/Windows programs are dangerous in email
(price.exe)<BR>
ClamAV: price.html contains Trojan.JS.RunMe <BR> Report:
ClamAV: price.exe contains Worm.Bagle.AI
<BR>
MailScanner: Executable DOS/Windows programs are dangerous in email
(price.exe)<BR> Report: ClamAV: price.html contains
Trojan.JS.RunMe </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>And</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>MessageID: i7CFYJdv011960<BR>
Report: MailScanner: Message contained password-protected
archive<BR>
ClamAV: text_document.zip contains Worm.Bagle.Gen-zippwd </FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>This what it looks like when both catch a
virus:</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>MessageID: i7BFvmfe013859<BR>
Report: F-Prot:
/var/spool/MailScanner/incoming/5595/i7BFvmfe013859/your_picture.pif
Infection: <A
href="mailto:W32/Netsky.D at mm">W32/Netsky.D at mm</A><BR>
ClamAV: your_picture.pif contains Worm.SomeFool.Gen-1
<BR>
MailScanner: Shortcuts to MS-Dos programs are very dangerous in email
(your_picture.pif)<BR></FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>----- Original Message -----
<DIV>From: "Christiaan den Besten" <<A
href="mailto:chris at scorpion.nl">chris at scorpion.nl</A>></DIV>
<DIV>To: <<A
href="mailto:MAILSCANNER at JISCMAIL.AC.UK">MAILSCANNER at JISCMAIL.AC.UK</A>></DIV>
<DIV>Sent: Thursday, August 12, 2004 5:16 AM</DIV>
<DIV>Subject: Which AV is right :) ?</DIV></DIV>
<DIV><BR></DIV>> Hi !<BR>> <BR>> Just completed a small test to see if
F-Prot finds viruses Clam passed as<BR>> virusfree ..... and yes .. it
did.<BR>> <BR>> But: I am not yet convinced if F-Prot is doing the 'Right
thing TM :)"<BR>> <BR>> Scenario:<BR>>
- 1. An email containing a virus as
an attachment is send to a<BR>> foreign mailserver.<BR>>
- 2. Foreign mailserver bounces the
message attaching the complete<BR>> message in mbox format in de message
body.<BR>> - 3. Clam scans the
messages -> No virus found<BR>>
- 4. F-Prot scans the message -> Zafi.B found ....<BR>> <BR>> - The
actual virus is in de mbox formatted body ... this is not executable<BR>> by
a normal user if he/she receives it ?<BR>> - "Clamscan --mbox [body of msg]"
does find the Zafi.B virus.<BR>> <BR>> Should MailScanner do a double
check ?.. one with and one without de mbox<BR>> parameter, or is F-Prot just
to paranoid ?<BR>> <BR>> Which is right ?<BR>> <BR>> bye,<BR>>
Chrs<BR>> <BR>> ------------------------ MailScanner list
------------------------<BR>> To unsubscribe, email <A
href="mailto:jiscmail at jiscmail.ac.uk">jiscmail at jiscmail.ac.uk</A> with the
words:<BR>> 'leave mailscanner' in the body of the email.<BR>> Before
posting, read the MAQ (<A
href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</A>)
and<BR>> the archives (<A
href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</A>).</BODY></HTML>
------------------------ MailScanner list ------------------------
To unsubscribe, email <a href="jiscmail at jiscmail.ac.uk">jiscmail at jiscmail.ac.uk</a>
with the words:<br>
'leave mailscanner' in the body of the email.<br>
Before posting, read the MAQ (<a href="http://www.mailscanner.biz/maq/">http://www.mailscanner.biz/maq/</a>)<br>and
the archives (<a href="http://www.jiscmail.ac.uk/lists/mailscanner.html">http://www.jiscmail.ac.uk/lists/mailscanner.html</a>).
</x-html>
More information about the MailScanner
mailing list