Re: [Clamav-users] clamav-daemon didn't recognise attached virus

Thomas Herzog Thu, 22 Apr 2010 02:49:41 -0700

Török Edwin wrote:
> 
> On 04/22/2010 10:01 AM, Thomas Herzog wrote:
>> 
>> Amavis seems to be calling the clam deamon, it finds also some other
>> exploits, viruses...
>> /var/log/clamav/clamav.log:
>> Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
>> Suspect.Bredozip-zippwd-5 FOUND
> 
> BTW attachments are automatically removed on this mailing list.
> 
>> Thu Apr 22 08:23:53 2010 ->
>> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
>> Exploit.HTML.IFrame-8 FOUND
>> Thu Apr 22 08:23:53 2010 ->
>> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003:
>> Worm.NetSky-14
>> FOUND
>> 
>> Here you can see (UPS_invoice_4557.zip) was recognized with manually
>> scanning.
> 
> Is that the email, or the attachment? I guess it is the attachment.
> Try scanning the email containing that attachment with
> clamscan/clamdscan, and see if it is detected.
> 
>> 
>> lxhv1m02:~# dpkg -l | grep clam
>> ii  clamav                            0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - command-line i
>> ii  clamav-base                       0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - base package
>> ii  clamav-daemon                     0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - scanner daemon
>> ii  clamav-freshclam                  0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - virus database
>> ii  libclamav6                        0.95.3+dfsg-1~volatile1 anti-virus
>> utility for Unix - library
>> 
>> lxhv1m02:~# ps -eaf| grep clam
>> clamav    2926     1  0  2009 ?        00:01:49 /usr/bin/freshclam -d
>> --quiet
>> clamav   16517     1  1 Apr21 ?        00:12:39 /usr/sbin/clamd
>> root     25902 23655  0 08:58 pts/1    00:00:00 grep clam
>> 
>> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
>>    \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>> 
>> lxhv1m02:~# grep ctl /etc/clamav/clamd.conf
>> LocalSocket /var/run/clamav/clamd.ctl
>> 
>> Looks good to me...any ideas left?
>> 
>> /Thomas
>> 
>> 
> 
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
> 
> 

Hi, The attachment should be listed as "logging.TXT" under following link:
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-to28288042.html#a28288042
direct link:
http://old.nabble.com/file/p28288042/logging.TXT

Scanning the msg gives me the same output:

lxhv1m02:~# clamdscan "/tmp/UPS Delivery Problem NR 09045..msg"
WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12
WARNING: Ignoring deprecated option ArchiveLimitMemoryUsage at line 12
/tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.102 sec (0 m 0 s)
lxhv1m02:~# clamscan "/tmp/UPS Delivery Problem NR 09045..msg"
LibClamAV Warning:
***********************************************************
LibClamAV Warning: ***  This version of the ClamAV engine is outdated.    
***
LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq
***
LibClamAV Warning:
***********************************************************
/tmp/UPS Delivery Problem NR 09045..msg: Suspect.Bredozip-zippwd-5 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 757668
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.06 MB (ratio 0.00:1)
Time: 2.137 sec (0 m 2 s)

lxhv1m02:~# tail /var/log/clamav/clamav.log
Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
Suspect.Bredozip-zippwd-5 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
Exploit.HTML.IFrame-8 FOUND
Thu Apr 22 08:23:53 2010 ->
/var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14
FOUND
Thu Apr 22 09:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 10:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 10:48:33 2010 -> Reading databases from /var/lib/clamav
Thu Apr 22 10:48:34 2010 -> Database correctly reloaded (757668 signatures)
Thu Apr 22 11:04:45 2010 ->
/var/lib/amavis/tmp/amavis-20100422T110144-19947/parts/p001:
HTML.Phishing.Bank-1272 FOUND
Thu Apr 22 11:13:35 2010 -> SelfCheck: Database status OK.
Thu Apr 22 11:45:19 2010 -> /tmp/UPS Delivery Problem NR 09045..msg:
Suspect.Bredozip-zippwd-5 FOUND

Thanks
Thomas
-- 
View this message in context: 
http://old.nabble.com/clamav-daemon-didn%27t-recognise-attached-virus-tp28288042p28326571.html
Sent from the clamav-users mailing list archive at Nabble.com.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: [Clamav-users] clamav-daemon didn't recognise attached virus

Reply via email to
