Re: [clamav-users] Gibe passes undetected through clamd?

[Ted Fines]

Hmmm.  Maybe I am not understanding the differences between clamscan and 
clamd.  When I run clamscan, it finds the Gibe virus as it did for you, but 
clamd may or may not, depending on how it is invoked.  Take a look at this 
output:

SAMPLE 1: SCAN /var/ftp/update984.exe individually
[EMAIL PROTECTED] ftp]# clamdctl -c SCAN -a /var/ftp/update984.exe -s /tmp/clamd
FILE/DIR INFECTED : [/var/ftp/update984.exe]
VIRUS FOUND   : [Worm.Gibe.B]
resp=/var/ftp/update984.exe: Worm.Gibe.B FOUND
SAMPLE 2: SCAN /var/ftp/joke.exe individually
[EMAIL PROTECTED] ftp]# clamdctl -c SCAN -a /var/ftp/joke.exe -s /tmp/clamd
FILE/DIR INFECTED : [/var/ftp/joke.exe]
VIRUS FOUND   : [W98/Hybris.E]
resp=/var/ftp/joke.exe: W98/Hybris.E FOUND
SAMPLE 3: SCAN /var/ftp directory
[EMAIL PROTECTED] ftp]# clamdctl -c SCAN -a /var/ftp -s /tmp/clamd
FILE/DIR INFECTED : [/var/ftp]
VIRUS FOUND   : [ClamAV-Test-Signature]
resp=/var/ftp/clamav-0.54.tar.gz: ClamAV-Test-Signature FOUND
Note that neither is found, but the test signature in the clamav source IS 
found.  Why is this?  Is it that SCAN exclusively scans archives?

Likewise, the results using RAWSCAN are also inconsistent, depending on how 
clamd is invoked:
[EMAIL PROTECTED] ftp]# clamdctl -c RAWSCAN -a /var/ftp/update984.exe -s 
/tmp/clamd
FILE/DIR INFECTED : [/var/ftp/update984.exe]
VIRUS FOUND   : [Worm.Gibe.B]
resp=/var/ftp/update984.exe: Worm.Gibe.B FOUND
[EMAIL PROTECTED] ftp]# clamdctl -c RAWSCAN -a /var/ftp/joke.exe -s /tmp/clamd
FILE/DIR INFECTED : [/var/ftp/joke.exe]
VIRUS FOUND   : [W98/Hybris.E]
resp=/var/ftp/joke.exe: W98/Hybris.E FOUND
[EMAIL PROTECTED] ftp]# clamdctl -c RAWSCAN -a /var/ftp -s /tmp/clamd
FILE/DIR INFECTED : [/var/ftp]
VIRUS FOUND   : [W98/Hybris.E]
resp=/var/ftp/joke.exe: W98/Hybris.E FOUND

Since RAWSCAN has archive support disabled, shouldn't it have found Gibe 
also?

The program I'm using, clamdctl, is a Perl program I wrote to control the 
clamd daemon.  It allows you to send it QUIT, PING, etc. commands.  I 
borrowed quite a bit from the test-clamd.pl program in the 
qmail-scanner/contrib directory, and added quite a bit too.  You can 
download it here:
<http://www.macalester.edu/~fines/clamdctl>

Thanks,
Ted Fines
--On Thursday, June 19, 2003 3:52 PM +0200 Tomasz Kojm 
<[EMAIL PROTECTED]> wrote:

OK, thanks.  I emailed a copy of the virus to
[EMAIL PROTECTED]  Please let me know what you find out.
Something must be wrong with your clamav installation, because:

[EMAIL PROTECTED]:~/Mail$ clamscan update984.exe
update984.exe: Worm.Gibe.B FOUND
----------- SCAN SUMMARY -----------
Known viruses: 7845
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.15 Mb
I/O buffer size: 131072 bytes
Time: 0.506 sec (0 m 0 s)
Best regards,
Tomasz Kojm
--
      oo    .....       [EMAIL PROTECTED]
     (\/)\.........     http://www.konarski.edu.pl/~zolw
        \..........._   I nie zapomnij kliknac w brzuszek...
          //\   /\\     <- C. Amboinensis    www.pajacyk.pl          
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]