tons of infected files getting though???

[Desai, Jason]

I've noticed that ClamAV has not been finding SCO.A when they are inside of
a mail delivery failure message.  McAfee however does find it (calling it
Mydoom).

I can take the email and scan it with ClamAV, but it will not find anything.
But if I decode the attachment and scan it with ClamAV, ClamAV will find
SCO.A.

Could it be that the ones that are getting through are delivery failure
notifications?  I don't know if it's a bug in ClamAV or if it could be fixed
with updating the virus definitions, but I don't think it's a MailScanner
bug.

Jason

> -----Original Message-----
> From: Chris Yuzik [mailto:chris at FRACTALWEB.COM]
> Sent: Tuesday, January 27, 2004 2:23 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: [MAILSCANNER] tons of infected files getting though???
>
>
> Hi everyone,
>
> I was having a hard look through my logs and such and also looking
> though MailWatch. I see quite a few emails that definitely contain the
> virus that were only tagged as spam. I can see nothing in
> /var/log/maillog that indicates why this message would not have been
> marked as infected. I've even forwarded a couple of them to myself and
> there's no doubt about it...it's the SCO.A or Navarg or whatever. If I
> save the attachment, then scp it to my mailserver and run clamscan on
> it, everything works great and ClamAV correctly identifies the virus.
>
> For yesterday alone, my system saw 106 messages that it found infected
> with the virus, and an additional 80 that slipped by. WTF???
>
> Is it possible that MailScanner isn't getting clamav to scan all the
> attachments? How do I go about troubleshooting this? Urgent help would
> be appreciated.
>
> Cheers,
> Chris
>