This may or may not be an amavisd-new question, but I start here. -------------------------------------------------------------------
A virus was found: W32/Bredolab!Generic Banned name: .exe,.exe-ms,DHL_print_label_107f1.exe Scanners detecting a virus: F-PROT Antivirus for UNIX, BitDefender Content type: Virus Internal reference code for the message is 15460-18/lbKm0bjf56Nj ------------------------------------------------------------------- ClamAV does not detect it, run by amavisd-new. When I save the payload to disk and scan it with clamav, it detects it as ------------------------------------------------------------------- ja...@spitfire:~/tmp$ clamscan DHL_print_label_107f1.zip DHL_print_label_107f1.zip: Suspect.Bredozip-zippwd-2 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 671679 Engine version: 0.95.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.01 MB (ratio 0.00:1) Time: 111.784 sec (1 m 51 s) ------------------------------------------------------------------- This up to date Debian lenny, and the entry for ClamAV in amavisd is as ------------------------------------------------------------------- ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # NOTE: remember to add the clamav user to the amavis group, and # to properly set clamd to init supplementary groups # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], ------------------------------------------------------------------- This DHL payload is only malware which behaves like this for me. Any ideas? -- http://www.iki.fi/jarif/ You may my glories and my state dispose, But not my griefs; still am I king of those. -- William Shakespeare, "Richard II"
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
