Not detecting some instances of viruses

Mon Nov 6 06:10:30 GMT 2006

Reni Berber Wrote:

> Could be any of:

> 1. Timing.  A virus signature that was just added to the DB.

> 2. Rules.  If you have rules specifying what is virus scanned.

> 3. Size.  Limits in MS configuration and also in the program/module doing
the
> scanning.

> 4. Scan Parameters.  clamscan has default parameters that are a little
different
> that the perl module, for instance corrupt executable is detected by
clamscan
> but I'm not sure if the module does detect it.

> 5. Encoding.  There is a parameter in MS about scanning uuencoded parts,
I'm not
> sure if this affects virus scanning.

> What does the log show? (does it say scanning for viruses ... clean ?)
> -- 
> Reni Berber

First of all, thanks to those others who replied to my initial email - I
think I've found a resolution (see below).

Martin,

Yes, I quarantine a copy of every email that comes through, this helped me
diagnose the issue - Thanks!

Reni,

1. Timing - I think this is the cause of the issue; attempts to release the
email from the quarantine showed that the infected email was being caught
straight away! This would lead me to believe that ClamAV simply didn't know
about the type of virus when the initial copy of it came through. I didn't
realise previously, but they werent all exactly the same virus. They were
the same subject and size, but different variants of the same virus kept
coming through! (Worm.Stration.XX - in case you're interested!)
I havent got the log from when it came through initially, but I assume that
it would have been scanned and deemed "clean" as I havent seen any other
errors in there at all that would lead to some sort of scanning error.

Luckily my spam countermeasures are trained pretty well so nearly all
instances of the virus were actually quarantined as spam, and the rest under
content filtering (no exe files allowed). The only users who actually
received the virus were power users who are allowed to receive executable
files - Luckily they were smart enough not to be tempted to "increase the
size of their wang" by opening an exe file - lol

---- I checked your other points anyway:

2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a
ruleset on Dangerous Content Scanning, but as I understand that this doesn't
exclude Virus scanning for it's matches anyway. I cant see any other
rulesets that could cause this behaviour.

3. Size - The emails are all roughly 30kb in size.

4. Scan Parameters - Is there a way that you know of that I can test
scanning mbox files with the perl module instead? Sorry I'm relatively new
to linux so I didn't bother with this one :P

5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes
to be safe.