Looking for something else, I ended up on Declude.com web site where I found a virus testing tool. Being curious by nature, I ran all the tests at http://www.declude.com/tools/mailsend.html against my SMTP server using clamd. Here are the results:
Name Test Description
----------------------------------------------------------------------------------------------
eicarplain OK A standard base64 MIME encoded eicar.com file
eicarspacegap FAILED Tests for detection of the 'Space Gap' vulnerability
eicarcr OK Tests for detection of the Outlook 'CR vulnerability'
eicarblankfolding FAILED Tests for detection of Outlook 'Blank Folding' Vulnerability
eicarboundarygap FAILED Tests for detection of Outlook 'Boundary Space Gap' Vulnerability
eicarlongboundary FAILED Tests for detection of Outlook 'Long Boundary' Vulnerability
eicarpartial OK Tests for detection of the Partial (Fragmented) Vulnerability
binary OK Sent using MIME binary encoding
embed OK The eicar.com file embedded within another MIME segment
inline OK Sent as an inline attachment
pegasus OK The eicar.com file sent from Pegasus
rfc822 OK The eicar.com file embeded within an RFC822 message
zip OK The eicar.com file within a standard ZIP file
uu OK A uuencoded version of the eicar.com file
quoted OK The eicar.com file sent with the MIME quoted-printable encoding
mimeuu OK A rare uuencoded file within a MIME segment
binhex FAILED The rarely used BinHex encoding
binhexmime FAILED Even rarer BinHex encoding within a MIME segment
tnef OK Eicar.com file in a Microsoft proprietary TNEF file
noquote OK An eicar.com file in MIME, but without quotes around the filename.
clsid FAILED A file with a CLSID extension (no eicar.com file)
prescan OK In HTML designed for testing pre-scanning
NB: * my server runs Exim 4.22 on FreeBSD 4.6, with exiscan-acl and clamd * OK means that the virus file has been identified by ClamAV * FAILED means that the virus file got though without being detected
Comments:
* ClamAV failed a few times to detect the pseudo-virus Eicar-Test, but most expensive antivirus aren't doing much better when the same tricks are used against them
* on the other hand, it succeeded on most tests representing the great majority of real life situations
I am not a Declude.com vendor nor one of their customers and I prefer staying with ClamAV, although I know it's not perfect. I don't believe in perfect things anyway, just in tending toward perfectness ;-) My purpose for sending these tests results is just to inform ClamAV users and help making it better whenever it's possible.
Lol -- Didier Lebrun Le bourg - 81140 - Vaour (France) tél: 05.63.53.73.41 mailto:[EMAIL PROTECTED] (MIME, ISO latin 1) http://didier.quartier-rural.org/
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
