Not detecting some instances of viruses

Scott Silva ssilva at
Mon Nov 6 18:55:59 GMT 2006

Jon Bates spake the following on 11/5/2006 10:10 PM:
> Reni Berber Wrote:
>> Could be any of:
>> 1. Timing.  A virus signature that was just added to the DB.
>> 2. Rules.  If you have rules specifying what is virus scanned.
>> 3. Size.  Limits in MS configuration and also in the program/module doing
> the
>> scanning.
>> 4. Scan Parameters.  clamscan has default parameters that are a little
> different
>> that the perl module, for instance corrupt executable is detected by
> clamscan
>> but I'm not sure if the module does detect it.
>> 5. Encoding.  There is a parameter in MS about scanning uuencoded parts,
> I'm not
>> sure if this affects virus scanning.
>> What does the log show? (does it say scanning for viruses ... clean ?)
>> -- 
>> Reni Berber
> First of all, thanks to those others who replied to my initial email - I
> think I've found a resolution (see below).
> Martin,
> Yes, I quarantine a copy of every email that comes through, this helped me
> diagnose the issue - Thanks!
> Reni,
> 1. Timing - I think this is the cause of the issue; attempts to release the
> email from the quarantine showed that the infected email was being caught
> straight away! This would lead me to believe that ClamAV simply didn't know
> about the type of virus when the initial copy of it came through. I didn't
> realise previously, but they werent all exactly the same virus. They were
> the same subject and size, but different variants of the same virus kept
> coming through! (Worm.Stration.XX - in case you're interested!)
> I havent got the log from when it came through initially, but I assume that
> it would have been scanned and deemed "clean" as I havent seen any other
> errors in there at all that would lead to some sort of scanning error.
> Luckily my spam countermeasures are trained pretty well so nearly all
> instances of the virus were actually quarantined as spam, and the rest under
> content filtering (no exe files allowed). The only users who actually
> received the virus were power users who are allowed to receive executable
> files - Luckily they were smart enough not to be tempted to "increase the
> size of their wang" by opening an exe file - lol
> ---- I checked your other points anyway:
> 2. Rules - I'm not running a ruleset on "Virus Scanning".. I AM running a
> ruleset on Dangerous Content Scanning, but as I understand that this doesn't
> exclude Virus scanning for it's matches anyway. I cant see any other
> rulesets that could cause this behaviour.
> 3. Size - The emails are all roughly 30kb in size.
> 4. Scan Parameters - Is there a way that you know of that I can test
> scanning mbox files with the perl module instead? Sorry I'm relatively new
> to linux so I didn't bother with this one :P
> 5. Encoding - Find UU-Encoded Files was set to NO. Have changed this to yes
> to be safe.
I have caught most 0day strains of Worm.Stration.XX with filetype checks when
the signatures were behind. If you don't allow unzipped executables you will
catch many 0day baddies.


MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

More information about the MailScanner mailing list