Thorvald Hallvardsson wrote: > Hi, > > I have got clamav running on the box and recently had a complain from the > customer saying that he is getting viruses. In fact Clamav is finding > phishing messages but any virus (besides eicar) is not being found. Tried > to test it from the command line and it says that the files I'm checking > are not infected when Kaspersky is picking up viruses > (Trojan.Win32.Yakes.elfb) but clamav says OK. > > Tried the latest version of clamav also and the same. I have got databases > up-to-date according to freshclam.
Based on local results I'm guessing the viruses slipping past ClamAV are "executable in an archive", which I have now been reporting one a day out of as many as 10+ per day reported by ISP customers. Last time I checked, only one of the files I had archived was detected by ClamAV; as of a few moments ago only 6 of the 200+ archived files were detected with stock signatures. All of these files were, IIRC, flagged by one or more scanners on virustotal.com; commonly 10 or more. I have been adding MD5 signatures, and somewhat more recently, .zmd .zip-content-filename signatures (for doubled-extension files), but I do not have time to dig more deeply and create more general signatures. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
