Viruses apparently getting through

Glenn Steen glenn.steen at GMAIL.COM
Sun Dec 4 09:23:24 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

On 04/12/05, Gib Gilbertson Jr. <gib at tmisnet.com> wrote:
> At 05:43 PM 3/12/2005, you wrote:
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Where is your copy of ClamAV installed? The location must be correct in
> >/etc/MailScanner/virus.scanners.conf.
> >If "which clamscan" produces /usr/local/bin/clamscan, then the entry in
> >virus.scanners.conf should be "/usr/local", if it produces
> >/usr/bin/clamscan, then it should be "/usr".
> >
> >What does your maillog say? That should give some indication of what
> >it's finding.
>
> One thing I'm wondering about is why MailScanner isn't rejecting the
> file based on the file extension since it's set to deny in the
> filename.rules.conf file.
>
> deny    \.zm9$
>

Are you positive that that is really what it's named when MS/Clamav
sees it? Might be zine alarm fiddling with the name...

About the virus name... What one AV calls a virus rarely map exactly
with what anyone else is calling it. For all we know, ZA night call
Sober.U (clamav) for Sober.W (compare with for example f-secure, that
call it Sober.Y ... still the same thing though). So that isn't much
of an indicator, unfortunately.
Are the archives really valid? Unpackable? If you unpack one of them,
and run Clamav on the unpacked content, is it detected then?

I see you run FreeBSD, but seem to only run clamav... Consider adding
BitDefender too, and see what that gives on the specific troublesome
mails (http://wiki.mailscanner.info/doku.php?id=documentation:anti_virus:bitdefender:install#installing_on_freebsd)...
Unless you already have it, but haven't told us about that:-).

--
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list