Not detecting some instances of viruses

[René Berber]

Jon Bates wrote:

> I'm having trouble whereby only SOME instances of the same virus are being
> identified by ClamAV.
> 
> The virus is exactly the same type every time, but only some get detected -
> the rest are sent on to the user!
> 
> There is no pattern that I can see - Zip files (containing infected exe),
> and plain exe files have been allowed through.
> 
> I've subsequently scanned the users mailbox on the server using clamscan,
> and it DOES detect the email! For some reason, when it is scanned when the
> message is received, it's not detected. 

Could be any of:

1. Timing.  A virus signature that was just added to the DB.

2. Rules.  If you have rules specifying what is virus scanned.

3. Size.  Limits in MS configuration and also in the program/module doing the
scanning.

4. Scan Parameters.  clamscan has default parameters that are a little different
that the perl module, for instance corrupt executable is detected by clamscan
but I'm not sure if the module does detect it.

5. Encoding.  There is a parameter in MS about scanning uuencoded parts, I'm not
sure if this affects virus scanning.

What does the log show? (does it say scanning for viruses ... clean ?)
-- 
René Berber