Uhm, yes and no. It depends what your MTA sends to clamav, and how you set it up.-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of OpenMacNews Sent: Wednesday, March 17, 2004 11:27 AM To: ClamAV Users List Subject: [Clamav-users] testvirus.org eicar tests failing w/ ClamAV version devel-20040316 on OSX+CGPro
hi,
ClamAV version devel-20040316, built on OSX 10.3.3, and integrated into CommunigatePro 4.1.8, is consistently failing to detect the following Eicar tests from www.testvirus.org:
I would just like to point out that MOST of these are not problems with clamav at all. I can not say how to get clamav to detect these because that is dependant on how clamav is called and how it integrates with your mta.
Clamav is catching those just fine since Feb 4.
Test #5: Eicar virus sent using BinHex encoding
Test #8: Eicar virus sent using BinHex encoding within a MIME segment
Your system must be able to decode binhex attachments before they are passed to clamav. I dont believe clamav has an internal binhex decoder. Being that most people dont have a decoder themselves, i dont see how this is really an issue. symantec on my workstation doesnt even pick these up.
Sorry, but IMHO a virus scanner on a Mac that doesn't handle BinHex is a piece of scrap.
Clamav has a BinHex decoder, and it works.
I agree here. It just comes down to:
Test #10: Eicar virus embedded within an RFC822 message
Test #15: Eicar string in HTML, to ensure that your mail server scans HTML segments
This is definitely a fault with whatever program is calling clamav on your system. These are both blocked on my system (using qmail and qmail-scanner).
- Have you enabled the ScanMail and ScanArchive options in your clamav.conf, or are you using clamscan --mbox? If not, this is the culprit.
- What is CGpro sending to clamav? Does it decompose mails? CG _may_ fulfill this task, erm, incompletely. Or does it send the whole raw message to clamav? Then you definitely need to enable ScanMail (see above)
This is an issue I will have a look at, though I'm unsure on how to handle such stuff that doesn't show as attachment in client programs.
Test #22: Eicar virus within zip file hidden using the "Empty MIME Boundary Vulnerability"
I dont really know what this means but it is let through on my system as well. However i am not too worried about it as it was not picked up symantec on my desktop and someone would need a base64 decoder and some computer knowledge to be able to extract this attachment.
There is at least one M$ Outlook bug that makes attachments with specially crafted headers viewable, which are unseen by other client programs. But how should one handle that? ClamAV is a virus scanner. It's not a vulnerability scanner. I consider catching such messages a "nice to have", but if correctly implented it bloats clamav's config file (or clamscan's --help output) endless, given the number of bugs some mail clients have.
(Having a hard time to not flame about Symantec again)
See above. The test is there, but currently issues a libclamav warning IIRC.
Test #23: Test for the "Partial (Fragmented) Vulnerability". This does not include Eicar virus, but your mail server still must block this since it can break a virus into multiple emails and reassemble it in your inbox.
See above. Thanks MS.
Test #24: Attachment with a CLSID extension which may hide the real file extension. This does not include Eicar virus, but your mail server still must block this since it can hide the true extension of a file.
Thomas
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
