On Thu, Nov 15, 2012 at 4:25 PM, McGranahan, Jamen < jamen.mcgrana...@vanderbilt.edu> wrote:
> OK, I'm stumped as to why clamav-milter did not catch this virus. It was > from this address, being masked as from UPS: > > rowanhorst...@live.ca<mailto:rowanhorst...@live.ca>, masked as > customerdesk_upsdeliveryservi...@ups.com<mailto: > customerdesk_upsdeliveryservi...@ups.com> > > Nov 14 14:13:33 XXXXXX sendmail[13983]: qAEKDT7f013983: from=< > rowanhorst...@live.ca<mailto:rowanhorst...@live.ca>>, size=3297, class=0, > nrcpts=1, > msgid=<ca5501cdc2ac$e6c228e0$a87b5229@customerdesk_upsdeliveryservices>, > proto=ESMTP, daemon=MTA, relay=[41.82.123.168] > Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert > (1): header: X-Virus-Scanned: clamav-milter 0.97.6 at xxxx.xxxx.edu > Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert > (1): header: X-Virus-Status: Clean > > It actually missed it on two servers. Thankfully our network security > caught it before it went out. Here's what they detected the virus as: > > "It was detected as Blacole.OZ (Blackhole rootkit stuff). > Incident Name: Blacole.OZ > File: Invoices-14-2012.htm" > > Jamen McGranahan > Systems Services Librarian > Vanderbilt University LIbrary > Central Library > Room 811 > 419 21st Avenue South > Nashville, TN 37214 > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > Good question. Any chance you can submit the attachment to us by using the "Submit a file" link on www.clamav.net? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
