[Clamav-users] Fwd: Warning: E-mail viruses detected

Mon, 03 Nov 2003 05:04:19 -0800 

I am running ClamAV and McAfee from MailScanner and lately I noticed
that McAfee seems to intercept quite a number of viruses that ClamAV
didn't detect. Freshclam has run, virus definitions seem to be up-to-date.
Further investigation turns out that it is always the Mimail.c virus:

----- Forwarded message from MailScanner <[EMAIL PROTECTED]> -----

Date: Mon, 3 Nov 2003 11:12:03 +0100
From: "MailScanner" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Warning: E-mail viruses detected

The following e-mail messages were found to have viruses in them:

    Sender: [EMAIL PROTECTED]
IP Address: 217.153.125.194
 Recipient: [EMAIL PROTECTED]
   Subject: Re[2]: our private photos                 yahysaps
 MessageID: hA3ABmS12759
    Report: McAfee: /hA3ABmS12759/photos.zip        Found the W32/[EMAIL PROTECTED] 
virus !!!


-- 
MailScanner
Email Virus Scanner
www.mailscanner.info

----- End forwarded message -----

Now the weird stuff: MailScanner has quarantined this file, so I scanned
it by hand:
bash-2.05# clamscan /var/spool/MailScanner/quarantine/20031103/hA3ABmS12759/photos.zip 
/var/spool/MailScanner/quarantine/20031103/hA3ABmS12759/photos.zip: File size limit 
exceeded.
/var/spool/MailScanner/quarantine/20031103/hA3ABmS12759/photos.zip: Worm.Mimail.C FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9915
Scanned directories: 0
Scanned files: 2
Infected files: 1
Data scanned: 0.01 MB
I/O buffer size: 131072 bytes
Time: 0.231 sec (0 m 0 s)

So, ClamAV does detect this virus. My guess is the 'File size limit
exceeded' message is taken as an error by mailScanner which then ignores
the results. I don't know which file size limit is meant here; both 
StreamMaxLength and ArchiveMaxFileSize are set to 10M, much bigger than
the infected file (which is only 12958 bytes).

I'm running ClamAV 20030829. Will upgrading to the latest snapshot solve
this problem?

David Jansen


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users

Reply via email to