Re: [Clamav-users] Virus (W32.Elkern.C) blocked by Barracuda, passed by clam

Thu, 13 Aug 2009 10:44:25 -0700 

From: Tomasz Kojm <tk...@clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date:  Thu, 13 Aug 2009 18:37:16 +0200

>On Thu, 13 Aug 2009 18:14:14 +0200
>"Len Conrad" <lcon...@go2france.com> wrote:
>
>> I don't think there is any problem with the postfix/clamsmtpd/clam handoff.
>> 
>> The clam scanning has missed only the W32.Elkern these past few days
>> (barracuda has caught on W32.Elkern), and caught everything else, eg today:
>> 
>> egrep -i "status=virus" /var/log/ms1.xxx.net/maillog
>> 
>> Aug 13 10:08:10  clamsmtpd: 1122E3: from=gsegro...@xxx.net,
>> to=sportsnationh...@xxx.com, status=VIRUS:Exploit.IFrame.Gen
>
>The fact your installation catches Exploit.IFrame.Gen doesn't mean it will
>detect other threats. The IFrame signature is one of the most basic ones but
>other signatures may require properly decoded attachments or even the entire
>raw messages so that libclamav can match some headers or do special
>decoding/preprocessing on its own.
>
>> Aug 13 10:19:40  clamsmtpd: 112524: from=comfor...@xxx.net,
>> to=memberservi...@xxx.com, status=VIRUS:Exploit.IFrame.Gen
>> 
>> Aug 13 10:49:27  clamsmtpd: 112BB4: from=cto...@xxx.net, to=bub...@xxx.com,
>> status=VIRUS:Exploit.IFrame.Gen
>> 
>> netstat -nap | egrep -ic :10025
>> 46
>> 
>> netstat -nap | egrep -ic :10026
>> 1
>> 
>> So how could the sig be in the clam db, but clam selectively missing
>> W32.Elkern?
>
>There could be many reasons for that. Eg. there may be a configuration
>problem with your clamd (please provide the output of 'clamconf -n'),

ok, I missed this:

clamconf -n
Checking configuration files in /usr/local/etc

Config file: clamd.conf
-----------------------
LogFile = "/var/log/clamd.log"
LogFileMaxSize disabled
LogTime = "yes"
LogSyslog = "yes"
LogFacility = "LOG_MAIL"
LogVerbose = "yes"
PidFile = "/var/run/clamd.pid"
LocalSocket = "/tmp/clamd.socket"
ScanMail disabled <<<<<<<<<<<<<<<<<<<<

fixed.  

 or it
>may not be getting the proper data from clamsmtpd (does it take care of
>attachment extracting or passes the entire message to clamd?). Can you
>get a copy of the infected mail from your Barracuda?

I submitted the msg, as much of the 100KB that Barracuda allowed, to the clam 
website.

thanks
Len

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Reply via email to