On 01/23/2007 05:00 AM, Andy wrote:
Andy ([EMAIL PROTECTED]) wrote:
Hey,
I'm having some trouble with a virus that got past clamav.
Log is pasted below, but I seem to have two problems:
1) libclamav is saying my database is old when it isn't
update...
I didn't want to stop clamav on a production system but on comparing
the filesizes to another clamav installation I noticed they were
different.
So even though it shows it reading the right files:
LibClamAV debug: Loading databases from /var/lib/clamav
LibClamAV debug: Loading /var/lib/clamav/daily.cvd
And even though I restarted freshclam and it looked like it had updated:
mx tmp # ls -l /var/lib/clamav/daily.cvd
-rw-rw-r-- 1 clamav clamav 752606 Jan 23 09:41 /var/lib/clamav/daily.cvd
... it obviously hadn't. I deleted the current database and restarted
freshclam. It got a new set of files which were different to old ones,
and had no problem detecting the virus.
I'm still confused to what caused this though so I can stop it happening
again. I'm also still worried it couldn't scan that .exe file, yet by just
upgrading the DB it can somehow magically do it now?
Andy.
I'm afraid that I don't have any advice for you, but I can say that I'm
having a similar problem.
I received a link to a postcard.exe file in a spam message:
Size: 678849
MD5sum: 8372e0dcd2ccf5e5247f098e818c5e46
Site: http://www.newfriendsonline.com/videos/postcard.exe
Virustotal.com says this about the file:
ClamAV devel-20060426/20070123 found [Trojan.IRC.Zapchast-11]
So someone's version of clamav can detect the trojan; however, my
installation of clamav (0.88.7) always says the file is clean--even
after I've just run freshclam.
I even submitted the file to clamav.net a couple of days ago, but my
clamscan still doesn't detect the file.
--
Send instant messages to your online friends http://au.messenger.yahoo.com
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
