> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jim Maul > Sent: Thursday, May 20, 2004 12:20 PM > To: ClamAV Mailing List > Subject: [Clamav-users] Question regarding virus detection > > > Hello, > > For the first time since installing clamav on our mail server > over 6 months > ago, we have had a virus get through. It was picked up on the > users desktop > by Symantec corporate AV as Netsky.P. I did some research and > this is what > i have found: > > First of all, i do not have the message in original form because it as > popped down to outlook before i was able to look at it. All i have is the > message copy/pasted from outlook into a text file. This message was a > bounce notice from some other mail server and the only reason it > came to my > server is because a user of mine was used as the spoofed from address. > > If i scan this text file, clamscan 0.70 does not find any virus. If i > remove the lines below: > > ------------------------------------------ > -----Original Message----- > From: Mail Delivery System [mailto:[EMAIL PROTECTED] > Sent: Thursday, May 20, 2004 10:21 AM > To: ADDRESS REMOVED > Subject: Mail delivery failed: returning message to sender > > > This message was created automatically by mail delivery software. > > A message that you sent could not be delivered to one or more of its > recipients. This is a permanent error. The following address(es) failed: > > [EMAIL PROTECTED] > This message has been rejected because it has > a potentially executable attachment "letter43.txt > .pif" > This form of attachment has been used by > recent viruses or other malware. > If you meant to send this file then please > package it up as a zip file and resend it. > > ------ This is a copy of the message, including all the headers. ------ > ------------------------------------------ > > from the top of the message, then clamscan finds Worm.SomeFool.P. > > So basically, it appears that this message got through because it was a > bounce notice and not the original message itself. > > I am running clamav 0.70 on redhat 9 using qmail-scanner 1.22. > > What i really dont understand is why adding a couple of lines at > the top of > the message prevents clamav from detecting the virus. Is there anything > that can be done about this? Do i need to provide more > information? I have > the (mostly) original message if it would help at all but since it is from > outlook and not the original from the server itself, i dont > assume it would > help much. >
Replying to my own message here, i have more information to provide. After some testing, it appears that clamav is the only scanner so far that has not been able to detect the virus in the email message in its current state. Even after the message has been bounced back and now forwarded 3 times, symantec as well as an AV scanner on another email account of mine still detect the virus in the now mangled message. Even just highlighting the whole message in outlook (including all signautes and headers and all the crap added by forwarding a message) and pasting it into notepad triggers symantec on my workstation. There is something that is causing clamav to not be able to detect this virus after the message has been bounced and now forwarded. Hope someone can offer some insight here... Thanks Jim ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
