This is another post about the problems that some people have been
having with sco.a seemingly making it past clam due to doggy mime
structure in bounce messages.
I noticed that Symantec on our exchange servers (which are behind a
mailscanner box running clam and sophos) is picking up a few Sco's
On Wed, 4 Feb 2004 14:16:07 +
Nigel Horne <[EMAIL PROTECTED]> wrote:
> On Wednesday 04 Feb 2004 1:26 pm, James F. Hranicky wrote:
>
> > The files can be found here
> >
> > http://www.cise.ufl.edu/~jfh/sco-examples
>
> But they can't be accessed:
Sorry, fixed.
> As usual, the best metho
On Wednesday 04 Feb 2004 1:26 pm, James F. Hranicky wrote:
> The files can be found here
>
> http://www.cise.ufl.edu/~jfh/sco-examples
But they can't be accessed:
www.cise.ufl.edu/~jfh/sco-examples/vir1
Either you are not authorized to access the requested page on the CISE Web Server, or
ClamAV version : clamscan / ClamAV version devel-20040203
OS : FreeBSD 4.9-STABLE #35: Wed Jan 28
It seems clamscan is having trouble finding SCO.a in a multiply-attached
file.
I have the following files:
vir1: multiply-attached message with SCO.a
Try the --mbox option on clamscan. I was having this problem too.
Jim
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of McKeever
> Chris
> Sent: Monday, February 02, 2004 10:42 PM
> To: [EMAIL PROTECTED]
> Subject: [Clamav-users] s
I am able to quarantine files based on attachments using qmail-scanner. However, when
they are in the quarantine,
clamscan (not clamdscan) is not picking the sco.a virus. It finds the sco.a when it
is just a regular file, it picks up other viruses when they
are in the quarantine, I am just hav
On Sat, 31 Jan 2004 08:37:09 - "Nigel Horne" <[EMAIL PROTECTED]>
exclaimed:
> Already in CVS. It's not a fix though, it's a new feature.
Of course it is!
Shawn
---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Op
I believe you need ScanMail in the clamd.conf file.
Regards,
Rick
Erik Bourget wrote:
Hey,
Clam does catch other viruses but is failing to catch this sco.a thing for
some reason. Does anyone have any insight?
The only two kinds of malware caught this morning are Worm.Gibe.F and
Exploit.IFrame.
On Sat, 31 Jan 2004 09:00:21 + (GMT)
Andy Fiddaman <[EMAIL PROTECTED]> wrote:
>
> I wouldn't normally suggest changing the signature name for a virus
> because it is very common for different virus scanners to call the
> same virus by different names, and sometimes it's nice just to be
> dife
I wouldn't normally suggest changing the signature name for a virus
because it is very common for different virus scanners to call the same
virus by different names, and sometimes it's nice just to be diferent ;);
however with SCO.A/MyDoom I think there would be some merit in changing
the name rep
> You were absolutely right, the msgs I was refering to were all bounces, my
> mistake. Is there a fix in the works for this?
Already in CVS. It's not a fix though, it's a new feature.
> Shawn
-Nigel
---
The SF.Net email is sponsored by Ecli
Ok Nigel,
You were absolutely right, the msgs I was refering to were all bounces, my
mistake. Is there a fix in the works for this?
Shawn
On Tue, 27 Jan 2004 16:59:08 + Nigel Horne <[EMAIL PROTECTED]>
exclaimed:
> On Tuesday 27 Jan 2004 2:31 pm, Shawn Tayler wrote:
> > Nigel,
> >
> > I hav
On Wed, 28 Jan 2004 17:34:33 + Nigel Horne <[EMAIL PROTECTED]>
exclaimed:
> This comment has been obseleted by the changes to today's CVS snapshot.
>
> > > Shawn
> >
> > -Nigel
Excellent Thanks
---
The SF.Net email is sponsored by Ec
On Tuesday 27 Jan 2004 4:59 pm, I wrote:
> Yes but please send me the original. Many people send me the bounce
> message which contains the virus. This is no help to the parser, I must
> have the original.
This comment has been obseleted by the changes to today's CVS snapshot.
> > Shawn
>
> -Nig
> Tayler
> Sent: Tuesday, January 27, 2004 9:31 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Clamav-users] SCO.a
>
>
>
>
> Nigel,
>
> I have several examples of this. Even with older virii.
>
> Would you be interested in them as well?
>
> Shawn
>
> On T
Nigel - I sent a message to you that made it through the system after I turned off the
second AV for the mail.
so that is an *original* copy of an email that got through
thanks
---
Chris McKeever
If you want to reply directly to me, please use cgmckeever--
I dunno but I had to restart clamd on all my servers this morning to get
it to notice them.. is that normal?
On Tue, 2004-01-27 at 10:24, Erick Ivaan Lopez Carreon wrote:
> El mar, 27-01-2004 a las 02:52, Nigel Horne escribió:
> > On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote:
> >
> > > An
I am curious,
It appears that I have missed something very important in my Clamav setup,
0.65, in that I have several examples of Maildir files that contain a
known, detectable virus, that will not show as conatining such unless the
file is converted to binary from mime.
I use the --mbox and -
On Mon, 26 Jan 2004, Rick Macdougall wrote:
> I've blocked over 1000 of them in the last hour or so since I forced a
> freshclam.
Oddly enough, Spam Assassin picked one up for me at 4:45 PM EST here. at
4:50, my hourly cron job ran, updated the DB, and I've been filtering them
ever since.
Seem t
On Tuesday 27 Jan 2004 2:31 pm, Shawn Tayler wrote:
> Nigel,
>
> I have several examples of this. Even with older virii.
>
> Would you be interested in them as well?
Yes but please send me the original. Many people send me the bounce
message which contains the virus. This is no help to the parser
Nigel - thanks for the reply - I didnt have an original, because they do get caught by
the second filter...
I will play around with it and see if I can..however, I sent you an attached file
witht the virus that does get through clam
On Tue, 27 Jan 2004 06:31 , Shawn Tayler <[EMAIL PROTECTED]> se
On Tuesday 27 January 2004 11:12 am, Nigel Horne wrote:
> I don't want to labour the point, but let me make this clear.
>
> ClamAV DOES find SCO.a in attachments.
> ClamAV DOES NOT find viruses in bounce message bodies, all of the examples
> being posted are of bounces. Bounce messages do not have
I don't want to labour the point, but let me make this clear.
ClamAV DOES find SCO.a in attachments.
ClamAV DOES NOT find viruses in bounce message bodies, all of the examples being
posted are of bounces. Bounce messages do not have attachments, though they ofteb
look like they do. This is a issue
On Tuesday 27 January 2004 09:16 am, Nigel Horne wrote:
> On Tuesday 27 Jan 2004 4:14 pm, McKeever Chris wrote:
> > Nigel - thanks for the reply - I didnt have an original, because they do
> > get caught by the second filter... I will play around with it and see if
> > I can..however, I sent you an
El mar, 27-01-2004 a las 11:21, McKeever Chris escribió:
> it finds it fine when it is still an attachment, or after the file has been
> extracted from the email?
>
When the file is still attached
Only last night i update virus dB with freshclam, an this morning
another update.
Grettings.
it finds it fine when it is still an attachment, or after the file has been extracted
from the email?
---
Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com
http://www.prupref.com
On Tue, 27 Jan 2004 09:24 ,
On Tuesday 27 Jan 2004 4:14 pm, McKeever Chris wrote:
> Nigel - thanks for the reply - I didnt have an original, because they do
> get caught by the second filter... I will play around with it and see if I
> can..however, I sent you an attached file witht the virus that does get
> through clam
I'd
El mar, 27-01-2004 a las 02:52, Nigel Horne escribió:
> On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote:
>
> > Any suggestions? It finds other virii fine when they are still encoded,
> > maybe the definitions need to be added for its MIME version?
>
> Please forward an *original* copy (hmm,
Nigel,
I have several examples of this. Even with older virii.
Would you be interested in them as well?
Shawn
On Tue, 27 Jan 2004 08:52:58 + Nigel Horne <[EMAIL PROTECTED]>
exclaimed:
> On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote:
>
> > Any suggestions? It finds other virii f
On Tuesday 27 Jan 2004 3:11 am, McKeever Chris wrote:
> Any suggestions? It finds other virii fine when they are still encoded,
> maybe the definitions need to be added for its MIME version?
Please forward an *original* copy (hmm, that's a contradiction in terms)
of the e-mail to me at [EMAIL PR
On Mon, 26 Jan 2004, Kevin Spicer wrote:
> On Mon, 2004-01-26 at 23:19, Rick Macdougall wrote:
> > McAfee has picked it up and is calling it MyDOOM.
> >
> Symantec are calling it [EMAIL PROTECTED]
And Kaspersky don't seem to have any name or even any kind of information
for it.
--
Tim Wilde
[
clamscan is finding the SCO.a fine after the attachment has been decoded out of an
email:
/var/spool/qmailscan/quarantine/new/body.pif: Worm.SCO.A FOUND
but it will not find it while it is still in the body of the attachment mime encoded.
/var/spool/qmailscan/quarantine/new/prupref-mailgate1075
On Mon, 2004-01-26 at 23:19, Rick Macdougall wrote:
> Hi,
>
> McAfee has picked it up and is calling it MyDOOM.
>
Symantec are calling it [EMAIL PROTECTED]
BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_
This mess
Hi,
McAfee has picked it up and is calling it MyDOOM.
Virus Information
Name: W32/[EMAIL PROTECTED]
Risk Assessment
- Home Users: High-Outbreak
- Corporate Users:High-Outbreak
Date Discovered:1/26/2004
Date Added: 1/26/2004
Origin: Unknown
Length:
34 matches
Mail list logo
