On Tue, 07 Oct 2003 at 11:22:01 -0400, Adam Williams wrote: > > > I have a samba fileserver, and I run clamscan every night as a cron job, > > > moving infected files to a quanrantine directory (to help prevent any > > > virii that have made it in from spreading). > > > The next morning I look in quarantine and see some files. So I > > > disinfect them from a Win32PC with either Macafee or Solo, rescan them > > > and it says they are clean. Then I attempt to e-mail them back to their > > > owners. but clamav-milter rejects them as infected. > > > If I check them with clamscan it says they are still infected, if I > > > check them with Solo or Macafee both applications say they are clean. > > > clamav-milter and clamscan are running on the same host (file server & > > > mail relay). > > > This seems really conflicted. Who is at fault? CLAM or both Solo & > > > Macafee. > > Both reasons are possible: > > 1) ClamAV's signature may be not optimal, causing false positives, or > > 2) AV scanners used for disinfecting may not clean infections > > completely, leaving some fragment of virus in the cleaned file and > > clamscan finds them still. > > Anyway, you are encouraged to submit such samples (with a description > > of the problem!) to the database developers in the usual way, i.e. by > > http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi > > Done. It said it accepted submission #609. Is there any mechanism for > tracking what becomes of or is determined about a submission?
Yes, observing the clamav-virusdb mailing list. List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/clamav-virusdb>, <mailto:[EMAIL PROTECTED]> > > Oh, one more general remark: > > before submitting a sample please verify it using "clamav online > > specimen scanner" at http://www.gietl.com/test-clamav/ . > > Done, that site recognized the "cleaned" file as still infected. > > > Though you (Adam) may already know it, I'm writing about it as a general > > advice - because we sometimes (too frequently) receive samples of > > viruses which are already detected by ClamAV, but are thought by senders > > as unknown - seemingly people don't check them, but only judge from a > > virus name or what... > > Right, the problem is it detects a virus that supposedly isn't there any > longer. I've just removed this improper signature (W97/Marker) from the database (it was in viruses.db2 file). Thank you, Adam, for the report and the sample. BTW, folks, there's a new virus in the wild since today (oh, already yesterday): Trojan.IRCBot.M (alias W32.IRCBot.B, Win32.SdBot.18976, Backdoor.IRCBot.gen etc.). We have received several submissions with it. So please update your databases. And you need not submit next samples :-), we have enough of them :-). -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
