I've synchronized all the feeds (NVT, SCAP, CERT) to ensure that the scan conditions are identical.
Firstly, with clamav-0.98.3, the same "high threat" was reported : > NVT: SMTP antivirus scanner DoS > OID: 1.3.6.1.4.1.25623.1.0.11036 > Threat: High (CVSS: 7.2) > Port: smtp (25/tcp) > > The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it > might > have crashed. Please check its status right now, as it is > not possible to do so remotely > > Vulnerability Detection Method: > Details: > SMTP antivirus scanner DoS > (OID: 1.3.6.1.4.1.25623.1.0.11036) The postmaster account got 2 messages, with subject lines "OpenVAS antivirus DoS 1: base64 attachment" and "OpenVAS antivirus DoS 2: uuencoded attachment", each has a copy of "42.zip" attached, plus 1 message with subject line "OpenVAS test - ignore it". The clamd.log file remained clean. Then revert to clamav-0.98.1 and only a "log threat" was reported : > NVT: SMTP antivirus scanner DoS > OID: 1.3.6.1.4.1.25623.1.0.11036 > Threat: Log (CVSS: 7.2) > Port: smtp (25/tcp) > > For some reason, we could not send the 42.zip file to this MTA > > Vulnerability Detection Method: > Details: > SMTP antivirus scanner DoS > (OID: 1.3.6.1.4.1.25623.1.0.11036) The postmaster account got only 1 message with subject line "OpenVAS test - ignore it", but the clamd.log files reported 2 alerts : > fd[10]: Trojan.ArcBomb-1 FOUND > fd[10]: Trojan.ArcBomb-1 FOUND It seems that the difference was because clamav-0.98.3 failed to detect the "Trojan.ArcBomb-1". If this is the real cause, then the case is not a "false positive", but some definition is missing in clamav-0.98.3. On 25/05/2014, Greg Folkert <g...@donor.com> wrote: > On Sun, 2014-05-25 at 11:37 +0800, anc...@gmail.com wrote: >> Thank you for your info. >> >> I do apt to conclude this as a "false positive", but clamav-0.98.1 does >> not >> yield "high threat" warnings under the same scan conditions : > > And you back-rev'd and installed 0.98.1 and rescanned. I'm wondering if > the scanner updated its rules or signatures or plugin used to detect. > > Sometimes they get a bit overzealous in changes and step over the > line... especially with CVSS of 7 or higher. It is worth looking to to > figure out when the plugin was updated. > >> > NVT: SMTP antivirus scanner DoS >> > OID: 1.3.6.1.4.1.25623.1.0.11036 >> > Threat: Log (CVSS: 7.2) >> > Port: smtp (25/tcp) >> > submission (587/tcp) >> > >> > For some reason, we could not send the 42.zip file to this MTA >> > >> > Vulnerability Detection Method: >> > Details: >> > SMTP antivirus scanner DoS >> > (OID: 1.3.6.1.4.1.25623.1.0.11036) >> >> I wish some expert can account for this difference before the "false >> positive" conclusion. >> > > -- > greg folkert - systems administration and support > web: donor.com > email: g...@donor.com > phone: 877-751-3300 x416 > direct: 616-328-6449 (direct dial and fax) > "There is always the need to carry on." > -- Marjory Stoneman Douglas _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml