BitFuzzy wrote:
Odhiambo Washington wrote:
* On 10/09/05 13:47 -0500, Pablo Chamorro C. wrote:
I managed to deploy squid + havp + clamav for antivirus control of
web pages/files, and for my surprise this morning I found:
10/09/2005 13:08:36
http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
Sirius.Annihilator.272
10/09/2005 13:09:22
http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
Sirius.Annihilator.272
10/09/2005 13:10:09
http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
Sirius.Annihilator.272
10/09/2005 13:15:06
http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
Sirius.Annihilator.272
Some comment?
ClamAv is right about the virus! At least it tells me the same when I
try to download that file. Funnily, I use DansGuardian, not HAVP. We
get the same results. So if anyting is 'wrong', it is clamav.
The file scan'd fine with PcCillin as well.
However, after sending test emails containing the contents of the .cab I
was able to identify "pskavs.dll" as being the file that's being tagged
as being infected.
The problem is that Panda still ships files that contain "plain
viruscode", other vendors encrypt such files to avoid such false
positives. So Clam is right somehow, it found the bytesequence of the
virus in the file.
Not as an excuse but to prove the fact, i tested the file with some
other scanners, and got the following:
Scanner 1: Win32:CTX
Scanner 2: Frisk #2
Scanner 3: W95/Sledge-A
So you can see it´s not only a problem of ClamAV. We have similar
problems with some vulnerability scanners, that contain plain
exploitcode - it wouldn´t be hard to encrypt the code....
However, i will include the file in my update.
Maybe you want to report the problem to Panda too - imho it´s a problem
that can be solved by them - and be sure they know about it already - if
they read the mails that people send to their support.
--
Best regards,
Christoph mailto:[EMAIL PROTECTED]
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
