Thank you for your info.

I do apt to conclude this as a "false positive", but clamav-0.98.1 does not yield "high threat" warnings under the same scan conditions :

NVT:    SMTP antivirus scanner DoS
OID:    1.3.6.1.4.1.25623.1.0.11036
Threat: Log (CVSS: 7.2)
Port:   smtp (25/tcp)
        submission (587/tcp)

For some reason, we could not send the 42.zip file to this MTA

Vulnerability Detection Method:
Details:
SMTP antivirus scanner DoS
(OID: 1.3.6.1.4.1.25623.1.0.11036)

I wish some expert can account for this difference before the "false positive" conclusion.


On Sat, 24 May 2014, Greg Folkert wrote:

If this is like other "assumption based" Vulnerability scanning engines
(Rapid7 and Nessus and others)...

This is a return that is classified as a False Positive. Since you've
proven that it isn't doing what it thinks it is doing.

If your Scanners works as expected and not as described, then you can
file a false positive determination with your scanning vendor.

On Sat, 2014-05-24 at 21:42 +0800, anc...@gmail.com wrote:
Yes. After each modification, I ran "killall -HUP -e clamd" to restart clamd.

The scan report reads :

NVT:    SMTP antivirus scanner DoS
OID:    1.3.6.1.4.1.25623.1.0.11036
Threat: High (CVSS: 7.2)
Port:   smtp (25/tcp)
        submission (587/tcp)

The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it
might have crashed. Please check its status right now, as it is
not possible to do so remotely

Vulnerability Detection Method:
Details:
SMTP antivirus scanner DoS
(OID: 1.3.6.1.4.1.25623.1.0.11036)

but both clamav-milter and clamd were still working well.


On Fri, 23 May 2014, Matus UHLAR - fantomas wrote:

On 23.05.14 11:50, anctop wrote:
I've tried to change the value of "MaxRecursion" in clamd.conf to 4
and 44 respectively, but both experiments yield the same result.

Did you reload/restart clamd afterwards? What was the result?

Can it be a problem with the MTA ?

I can't tell you without the information above
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

--
greg folkert - systems administration and support
web:    donor.com
email:  g...@donor.com
phone:  877-751-3300 x416
direct: 616-328-6449 (direct dial and fax)
"All sweeping assertions are erroneous."
   -- Letitia Elizabeth Landon
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml

Reply via email to