Virus being missed. (assumed)

David Curtis DCurtis at SBSCHOOLS.NET
Fri Mar 4 20:07:15 GMT 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I piped it through an online scanner and it caught it. Clam does not
catch it yet.

>>> mkettler at EVI-INC.COM 03/04 2:33 PM >>>
At 01:30 PM 3/4/2005, David Curtis wrote:
>I think I have a virus that is being missed by mailscanner/clamav.
>Mailscanner tags it as spam: X-SBSD-MailScanner-SpamCheck: spam,
>SpamAssassin (score=7.065, required 3.75,
>  BAYES_60 0.37, DCC_CHECK 2.17, HTML_90_100 0.02, HTML_MESSAGE 0.00,
>  HTML_SHORT_LENGTH 0.39, MIME_HTML_ONLY 0.18, MISSING_SUBJECT 1.23,
>  MSGID_SPAM_LETTERS 2.71)
>
>The attachment has a rar file seams to be a randomly generated number
with
>a file dddd.exe in it.

Do you have the external unrar utility installed? (note: the latest
version
of rar costs, but there is a freeware command-line unrar for *nix)

See:
http://www.rarlab.com/rar_add.htm


ClamAV's built-in rar support doesn't support the newer rar3 format, so
you
need to install the external unrar utility and then
edit  /usr/lib/MailScanner/clamav-wrapper to enable the --unrar
parameter.

You can use this site to send a rared eicar file.. It wasn't caught by
clamav until I added external unrar support.

http://www.info-techs.com/eicar.shtml

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!







This email may contain information protected under the Family
Educational Rights and Privacy Act (FERPA) or the Health Insurance
Portability and Accountability Act (HIPAA). If this email contains
confidential and/or privileged health or student information and you
are not entitled to access such information under FERPA or HIPAA,
federal regulations require that you destroy this email without
reviewing it and you may not forward it to anyone.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list