Clam testing

[Rick Cooper]

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of Neil Wilson
 > Sent: Tuesday, June 12, 2007 6:14 AM
 > To: MailScanner discussion
 > Subject: Clam testing
 > 
 > After reading a few of the posts on the list this morning, I 
 > decided to try and send a few tests through my clamav, clamd 
 > and clamavmodule system, and neither of them pick up a few 
 > of the tests listed at http://www.declude.com/Articles.asp?ID=99
 > 
 > Of course I had to allow MailScanner to accept executable 
 > files first, but once I'd done this, I received quite a few 
 > of the eicar.com files in my mailbox that the site mentions 
 > as critical to block.
 > 
 > For example:
 > 
 > eicarspacegap "Tests for detection of the 'Space Gap' 
 > vulnerability (all mailserver AV programs need to catch this)."
 > 
 > All of them pick up the "eicarplain" one though.
 > 
 > Does everyone get the same behaviour, or should clam be 
 > blocking these?
 > 

That site is a fun test, however be assured the tests are all designed to
allow their virus/mime scanner to catch them. Some of these tests are tests
of MIME problems that would allow the virus through in a state that would
render it useless anyway. I have found in the past that all the virus
scanner allow some of the tests through, but none of them clear Exim without
my placing a full pass for the declude host/domain. Oddly enough there is
one test (I can't remember which) that clam catches from exim that it
doesn't from mailscanner.

Remember that web site is selling something

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.