ClamAV aficionados:
I just recently bought an account on webhostingbuzz.com. Curious as to
how well the domains were protected against viruses, I went to
http://www.webmail.us/testvirus and emailed the eicar virus to my
account. My mail is supposedly protected with ClamAV, and yet it
passed/failed the following tests:
PASSED->Test 01 EICAR virus sent using base64 encoding
PASSED->Test 02 EICAR virus sent using binary encoding
PASSED->Test 03 EICAR virus sent using quoted-printable encoding
PASSED->Test 04 EICAR virus sent using uuencoding
FAILED->Test 05 EICAR virus sent using BinHex encoding (this is a
rarely used Macintosh mail format)
PASSED->Test 06 EICAR virus embedded within another MIME segment
PASSED->Test 07 EICAR virus sent using uuencoding within a MIME segment
PASSED->Test 08 EICAR virus sent using BinHex encoding within a MIME
segment
PASSED->Test 09 EICAR virus sent as an inline attachment
PASSED->Test 10 EICAR virus embedded within an RFC822 message
FAILED->Test 11 New! EICAR virus within a ZIP file
PASSED->Test 12 EICAR virus sent from Pegasus (Pegasus uses unusual
email formatting)
PASSED->Test 13 EICAR virus without quotes around the filename
FAILED->Test 14 EICAR string in HTML, to ensure that your mail server
scans HTML segments
PASSED->Test 15 EICAR virus hidden using the "CR Vulnerability" *
FAILED->Test 16 EICAR virus within ZIP file hidden using the "Space Gap
Vulnerability" *
FAILED->Test 17 EICAR virus within ZIP file hidden using the "Blank
Folding Vulnerability" *
FAILED->Test 18 EICAR virus within ZIP file hidden using the "MIME
Boundary Space Gap Vulnerability" *
FAILED->Test 19 EICAR virus within ZIP file hidden using the "Long MIME
Boundary Vulnerability" **
FAILED->Test 20 EICAR virus within ZIP file hidden using the "MIME
Continuation Vulnerability" *
FAILED->Test 21 EICAR virus within ZIP file hidden using the "Empty
MIME Boundary Vulnerability" *
FAILED->Test 22 (Non-Virus): Test for the "Partial (Fragmented)
Vulnerability". This does not include the EICAR virus, however your mail
server should still block this since a virus can use this technique to
break itself into multiple emails, bypassing virus scanners, and
reassembling itself in your inbox. **
FAILED->Test 23 (Non-Virus): Attachment with a CLSID extension which
may hide the real file extension. This does not include the EICAR virus,
however your mail server should still block this since the CLSID
technique can be used to hide the true extension of a malicious file. ***
FAILED->Test 24 New! EICAR virus within a double ZIP file (i.e. a ZIP
within a ZIP).
FAILED->Test 25 New! EICAR virus within a ZIP file that has been
manipulated to evade detection by some anti-virus software by changing
the uncompressed size to zero within the ZIP file headers.
Is this typical of ClamAV? Or is it just that they don't have ClamAV
configured well?
I'm considering setting up a ClamAV + SpamAssassin relay server for my
company and wanna double check these types of things before I pitch it
to management.
Roger
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
