Not detecting some instances of viruses
Scott Silva
ssilva at sgvwater.com
Mon Nov 6 18:55:59 GMT 2006
Jon Bates spake the following on 11/5/2006 10:10 PM:
> Reni Berber Wrote:
>
>> Could be any of:
>
>> 1. Timing. A virus signature that was just added to the DB.
>
>> 2. Rules. If you have rules specifying what is virus scanned.
>
>> 3. Size. Limits in MS configuration and also in the program/module doing
> the
>> scanning.
>
>> 4. Scan Parameters. clamscan has default parameters that are a little
> different
>> that the perl module, for instance corrupt executable is detected by
> clamscan
>> but I'm not sure if the module does detect it.
>
>> 5. Encoding. There is a parameter in MS about scanning uuencoded parts,
> I'm not
>> sure if this affects virus scanning.
>
>> What does the log show? (does it say scanning for viruses ... clean ?)
>> --
>> Reni Berber
>
>
> First of all, thanks to those others who replied to my initial email - I
> think I've found a resolution (see below).
>
> Martin,
>
> Yes, I quarantine a copy of every email that comes through, this helped me
> diagnose the issue - Thanks!
>
> Reni,
>
> 1. Timing - I think this is the cause of the issue; attempts to release the
> email from the quarantine showed that the infected email was being caught
> straight away! This would lead me to believe that ClamAV simply didn't know
> about the type of virus when the initial copy of it came through. I didn't
> realise previously, but they werent all exactly the same virus. They were
> the same subject and size, but different variants of the same virus kept
> coming through! (Worm.Stration.XX - in case you're interested!)
> I havent got the log from when it came through initially, but I assume that
> it would have been scanned and deemed "clean" as I havent seen any other
> errors in there at all that would lead to some sort of scanning error.
>
> Luckily my spam countermeasures are trained pretty well so nearly all
> instances of the virus were actually quarantined as spam, and the rest under
> content filtering (no exe files allowed). The only users who actually
> received the virus were power users who are allowed to receive executable
> files - Luckily they were smart enough not to be tempted to "increase the
> size of their wang" by opening an exe file - lol
>
> ---- I checked your other points anyway:
>
> 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a
> ruleset on Dangerous Content Scanning, but as I understand that this doesn't
> exclude Virus scanning for it's matches anyway. I cant see any other
> rulesets that could cause this behaviour.
>
> 3. Size - The emails are all roughly 30kb in size.
>
> 4. Scan Parameters - Is there a way that you know of that I can test
> scanning mbox files with the perl module instead? Sorry I'm relatively new
> to linux so I didn't bother with this one :P
>
> 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes
> to be safe.
>
>
>
I have caught most 0day strains of Worm.Stration.XX with filetype checks when
the signatures were behind. If you don't allow unzipped executables you will
catch many 0day baddies.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
More information about the MailScanner
mailing list