Dear all,
My apologies to the list if I waste time and bandwith. I went through the mail
archive and could'nt find any (obvious) way to fix my problem.
In short : we are running a 'virtual office' providing amongst different
services, a webmail service. We do receive around +- 25.000 valid mails/day
(more than 160.000 SMTP connexions) and installed ClamAV 0.83 on a RHEL 3.0
V4/HP DL 2*3GHZ box.
We use 'home maid' java SMTP servers passing requests to clamd for evaluating
each email and pass it to the final recipient in case no virus is found.
FreshClam is activated and checks for new db every 2 hours. Both
clamd/freshclam work very nicely, no errors, ...
We started a couple of days ago and ClamAV catches more than 1800 virus a day.
As we are experimenting ClamAV, we still maintain during evaluation period a
second (and historic) defense line with TrendMicro VirusWall which we plan to
abandon shortly. I observed that VirusWall (the second line defense) reported
8 hits on (SomeFool) Worm.Netsky.P .Y .and .W.
'DetectBrokenExecutables' is activated. (Logfiles are below).
Config files is as follows (large comments stripped) :
#LogFileUnlock
LogFileMaxSize 0
LogTime
#LogClean
LogSyslog
#LogFacility LOG_MAIL
#LogVerbose
PidFile /var/run/clamav/clamd.pid
TemporaryDirectory /var/tmp
DatabaseDirectory /var/clamav
#LocalSocket /var/run/clamav/clamd.sock
FixStaleSocket
TCPSocket 3310
MaxConnectionQueueLength 30
#StreamMaxLength 20M
#StreamMaxPort 32000
#MaxThreads 20
ReadTimeout 300
#IdleTimeout 60
#MaxDirectoryRecursion 20
#FollowDirectorySymlinks
#FollowFileSymlinks
#SelfCheck 600
#VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v"
User clamav
AllowSupplementaryGroups
#ExitOnOOM
#Foreground
#Debug
#LeaveTemporaryFiles
#DisableDefaultScanOptions
##
## Executable files
##
ScanPE
DetectBrokenExecutables
##
## Documents
##
ScanOLE2
##
## Mail files
##
ScanMail
#MailFollowURLs
##
## HTML
##
#ScanHTML
##
## Archives
##
ScanArchive
#ScanRAR
ArchiveMaxFileSize 20M
ArchiveMaxRecursion 10
ArchiveMaxFiles 1500
ArchiveMaxCompressionRatio 300
#ArchiveLimitMemoryUsage
ArchiveBlockEncrypted
ArchiveBlockMax
##
## Clamuko settings
.. the rest is set to the default.
After having received 32.343 mails, I got 8 hits on TrendMicro reporting these
virus (apparently) not catched from ClamAV.
Sort by : Date
View : All Dates
User : All Users
Virus : All Viruses
-----------------------------------------------------------------
[EMAIL]
1. Date : 04/16/2005 00:54:11
File : data.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.P
[EMAIL]
2. Date : 04/16/2005 01:04:25
File : www.yahoo.fr.stlouissec.session-00001292.com
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.Y
[EMAIL]
3. Date : 04/16/2005 10:42:59
File : abuselist.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.P
[EMAIL]
4. Date : 04/16/2005 13:58:42
File : letter.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.P
[EMAIL]
5. Date : 04/16/2005 22:13:28
File : word document.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.P
[EMAIL]
6. Date : 04/17/2005 12:42:41
File : details.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.W
[EMAIL]
7. Date : 04/17/2005 13:07:06
File : d4334938.zip
From : <//[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_NETSKY.P
[EMAIL]
8. Date : 04/17/2005 13:55:36
File : document.zip
From : <[EMAIL PROTECTED]>
To : [EMAIL PROTECTED]
Action : deleted
Virus : WORM_MyDoom.DAM
Is there anything wrong in the config file ?
Did I miss something ?
Does anyone report/experience the same problem ?
Any help would be greatly appreciated.
Thanks,
Arnaud Huret
ContactOffice
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
