On Wed, 07 Jan 2004 at 9:13:22 -0600, Alex S Moore wrote:
> On my Solaris 9 SPARC mailhost with clamav installed and using my Solaris 9
> SPARC workstation with SylpheedClaws, I tested with the top section of the html
> page from www.testvirus.org. The virus signature file is updated twice a day.
>
> I used the released 0.65 version, which I built on 2003-12-04, and then built
> and installed the devel-20040107 version. Both programs had the same results.
> Most virus email was caught. There were three that passed the check on both
> versions. They are:
>
> Nbr 4) EICAR virus sent using uuencoding
> Nbr 5) EICAR virus sent using BinHex encoding
> Nbr 4) EICAR virus sent using BinHex encoding within a MIME segment.
>
> Should I be concerned about the three tests that got through?
>
In case someone is interested, I'm including here test results of
a set:
Postfix + Amavisd-new (20030616p5-6) + ClamAV (0.60+BugFixesFromCVS-20030916).
>From the 1st group of tests on www.antivirus.org, only 1 of 15 test
messages was let through:
Nr 8. "Eicar virus sent using BinHex encoding within a MIME segment".
>From the 2nd group of tests (important only for M$ Outlook), 5 of 7
test messages were let through:
Nr 2. "Outlook 'Space Gap' vulnerability (includes Eicar virus as hidden
attachment)",
Nr 3. "Outlook 'Blank Folding' Vulnerability (does not include Eicar
virus"),
Nr 4. "Outlook 'Boundary Space Gap' Vulnerability (does not include
Eicar virus)",
Nr 5. "Outlook 'Long Boundary' Vulnerability (does not include Eicar
virus)",
Nr 7. "A file with a CLSID extension which may hide the real file
extension (does not include Eicar virus)".
> I do not care about the second section of the test virus web page, since I do
> not run OE. I do have OE clients, but they run their own Windows anti-virus
> package.
And it hardly seems to be an AV scanner job to care for these special
tricks which can fool Outlook. Especially because only 2 of 7 tests
from the second group contain Eicar. How could ClamAV detect messages
which don't contain any virus string, but only have some special
structure? It can be a MTA job, not an AV scanner's one.
--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
[EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros.
[EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner
-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
