You have answered your own question by research, a possible problem with 0.98.3... Bravo.
Proceed on then and report it as a failure to detect or in some ways a False Negative. Mainly because as it stands, your whole thread is based on a CVSS Scan issue. While this isn't the issue, but is a symptom... you should probably now report this a proper issue. I don't work for Sourcefire/Cisco so don't hold it against them. On Mon, 2014-05-26 at 15:56 +0800, anctop wrote: > I've synchronized all the feeds (NVT, SCAP, CERT) to ensure that the > scan conditions are identical. > > Firstly, with clamav-0.98.3, the same "high threat" was reported : > > > NVT: SMTP antivirus scanner DoS > > OID: 1.3.6.1.4.1.25623.1.0.11036 > > Threat: High (CVSS: 7.2) > > Port: smtp (25/tcp) > > > > The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it > > might > > have crashed. Please check its status right now, as it is > > not possible to do so remotely > > > > Vulnerability Detection Method: > > Details: > > SMTP antivirus scanner DoS > > (OID: 1.3.6.1.4.1.25623.1.0.11036) > > The postmaster account got 2 messages, with subject lines "OpenVAS > antivirus DoS 1: base64 attachment" and "OpenVAS antivirus DoS 2: > uuencoded attachment", each has a copy of "42.zip" attached, plus 1 > message with subject line "OpenVAS test - ignore it". The clamd.log > file remained clean. > > Then revert to clamav-0.98.1 and only a "log threat" was reported : > > > NVT: SMTP antivirus scanner DoS > > OID: 1.3.6.1.4.1.25623.1.0.11036 > > Threat: Log (CVSS: 7.2) > > Port: smtp (25/tcp) > > > > For some reason, we could not send the 42.zip file to this MTA > > > > Vulnerability Detection Method: > > Details: > > SMTP antivirus scanner DoS > > (OID: 1.3.6.1.4.1.25623.1.0.11036) > > The postmaster account got only 1 message with subject line "OpenVAS > test - ignore it", but the clamd.log files reported 2 alerts : > > > fd[10]: Trojan.ArcBomb-1 FOUND > > fd[10]: Trojan.ArcBomb-1 FOUND > > It seems that the difference was because clamav-0.98.3 failed to > detect the "Trojan.ArcBomb-1". > If this is the real cause, then the case is not a "false positive", > but some definition is missing in clamav-0.98.3. > > > On 25/05/2014, Greg Folkert <g...@donor.com> wrote: > > > On Sun, 2014-05-25 at 11:37 +0800, anc...@gmail.com wrote: > >> Thank you for your info. > >> > >> I do apt to conclude this as a "false positive", but clamav-0.98.1 does > >> not > >> yield "high threat" warnings under the same scan conditions : > > > > And you back-rev'd and installed 0.98.1 and rescanned. I'm wondering if > > the scanner updated its rules or signatures or plugin used to detect. > > > > Sometimes they get a bit overzealous in changes and step over the > > line... especially with CVSS of 7 or higher. It is worth looking to to > > figure out when the plugin was updated. > > > >> > NVT: SMTP antivirus scanner DoS > >> > OID: 1.3.6.1.4.1.25623.1.0.11036 > >> > Threat: Log (CVSS: 7.2) > >> > Port: smtp (25/tcp) > >> > submission (587/tcp) > >> > > >> > For some reason, we could not send the 42.zip file to this MTA > >> > > >> > Vulnerability Detection Method: > >> > Details: > >> > SMTP antivirus scanner DoS > >> > (OID: 1.3.6.1.4.1.25623.1.0.11036) > >> > >> I wish some expert can account for this difference before the "false > >> positive" conclusion. > >> > > > > -- > > greg folkert - systems administration and support > > web: donor.com > > email: g...@donor.com > > phone: 877-751-3300 x416 > > direct: 616-328-6449 (direct dial and fax) > > "There is always the need to carry on." > > -- Marjory Stoneman Douglas > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml -- greg folkert - systems administration and support web: donor.com email: g...@donor.com phone: 877-751-3300 x416 direct: 616-328-6449 (direct dial and fax) "Let others laugh when you sacrifice desire to duty, if they will. You have time and eternity to rejoice in." -- Theodore Parker _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
