Hi guys,
Clamav is on my servers for quite a while, with clamscan: 0.65. spamassassin: 2.61
qmail-scanner-queue 1.16
I was quite happy about all of that, but I recently figured out that clamv doesnât
intercept the virusesâ I launched the tests from www.testvirus.org and all of them
pass through ï
Here are the log for one email with virus in my qmail-queue.log:
08/03/2004 11:10:12:21385: +++ starting debugging for process 21385 by uid=101 at
08/03/2004 11:10:12
08/03/2004 11:10:12:21385: setting UID to EUID so subprocesses can access files
generated by this script
08/03/2004 11:10:12:21385: program name is qmail-scanner-queue.pl, version 1.16
08/03/2004 11:10:12:21385: incoming SMTP connection from via smtp from 172.xxx.xxx.xxx
08/03/2004 11:10:12:21385: w_c: mkdir
/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385
08/03/2004 11:10:12:21385: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/slash.xxxxxxxxxx.net107877301242621385
[1078773012.32988]
08/03/2004 11:10:12:21385: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/slash.xxxxxxxxxx.net107877301242621385 to
/var/spool/qmailscan/working/new/slash.xxxxxxxxxx.net107877301242621385
[1078773012.33178]
08/03/2004 11:10:12:21385: d_m: starting /usr/local/bin/reformime
-x/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385/
</var/spool/qmailscan/working/new/slash.xxxxxxxxxx.net107877301242621385
[1078773012.33211]
08/03/2004 11:10:12:21385: d_m: finished /usr/local/bin/reformime
-x/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385/ [1078773012.34114]
08/03/2004 11:10:12:21385: d_m: Checking all attachments to see if they're MS-TNEF
08/03/2004 11:10:12:21385: d_m: is
/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385/1078773012.21387-0.slash.xxxxxxxxxx.net
is a TNEF file?: 256 [1078773012.3445]
08/03/2004 11:10:12:21385: d_m: is
/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385/eicar.com is a TNEF file?:
256 [1078773012.34774]
08/03/2004 11:10:12:21385: d_m: Manually unpack any zip files as some virus scanners
don't do zip under Unix!
08/03/2004 11:10:12:21385: d_m: unpacking message took 0.016119 seconds
08/03/2004 11:10:12:21385: unsetting QMAILQUEUE env var
08/03/2004 11:10:12:21385: g_e_h: return-path is "[EMAIL PROTECTED]", recips is
"[EMAIL PROTECTED]"
08/03/2004 11:10:12:21385: from="testvirus.org" <[EMAIL PROTECTED]>,subj=Virus Scanner
Test, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via smtp from 172.xxx.xxx.xxx
08/03/2004 11:10:12:21385: ini_sc: start scanning
08/03/2004 11:10:12:21385: p_s: starting scan of directory
"/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385"...
08/03/2004 11:10:12:21385: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love Letter
Virus/Trojan'
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing subject: ILOVEYOU
08/03/2004 11:10:12:21385: p_s: '82:message/partial' = 'Virus-content-type' =
'Message/partial MIME attachments blocked by policy'
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing content-type:
message/partial
08/03/2004 11:10:12:21385: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header Buffer
Overflow'
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing date: .{100,}
08/03/2004 11:10:12:21385: p_s: '86:.{100,}' = 'Virus-mime-version' = 'MIME Header
Buffer Overflow '
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing mime-version: .{100,}
08/03/2004 11:10:12:21385: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME Header
Buffer Overflow'
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing resent-date: .{100,}
08/03/2004 11:10:12:21385: p_s: '90:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan
exploit!'
08/03/2004 11:10:12:21385: p_s: type is a header!
08/03/2004 11:10:12:21385: p_s: checking for objects containing to: [EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
08/03/2004 11:10:12:21385: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
08/03/2004 11:10:12:21385: p_s: type is a size!
08/03/2004 11:10:12:21385: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
08/03/2004 11:10:12:21385: p_s: type is a size!
08/03/2004 11:10:12:21385: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
08/03/2004 11:10:12:21385: p_s: type is a size!
08/03/2004 11:10:12:21385: p_s: skipping auto-generated file
1078773012.21387-0.slash.xxxxxxxxxx.net
08/03/2004 11:10:12:21385: p_s: checking eicar.com against perlscanner database...
08/03/2004 11:10:12:21385: p_s: file eicar.com is lowercased to eicar.com and has
extension .com
08/03/2004 11:10:12:21385: p_s: compare eicar.com against perlscanner database
08/03/2004 11:10:12:21385: p_s: finished scan of dir
"/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385" in 0.004102 secs
08/03/2004 11:10:12:21385: ini_sc: recursively scan the directory
/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385/
08/03/2004 11:10:12:21385: scanloop: starting scan of directory
"/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385"...
08/03/2004 11:10:12:21385: clamscan: starting scan of directory
"/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385"...
08/03/2004 11:10:12:21385: run /usr/local/bin/clamscan -r
--tempdir=/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385
--disable-summary --unzip --unrar --unace --unarj --zoo --lha --jar --tar --tgz
/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385 2>&1
08/03/2004 11:10:12:21385: --output of clamscan was:
--
08/03/2004 11:10:12:21385: clamscan: finished scan of dir
"/var/spool/qmailscan/slash.xxxxxxxxxx.net107877301242621385" in 0.415123 secs
08/03/2004 11:10:12:21385: SA: run /usr/bin/spamc -u spamd -f <
/var/spool/qmailscan/working/new/slash.xxxxxxxxxx.net107877301242621385
Is there anything wrong ?
In my quarantine.log, I have only:
08/03/2004 09:19:06 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: EPYZKQDG, name
begins with Illegal breakage found in header name - potential virus clamscan:
0.65. spamassassin: 2.61.
08/03/2004 10:15:49 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: FIAN, at around
fourIllegal breakage found in header name - potential virus clamscan: 0.65.
spamassassin: 2.61.
08/03/2004 10:39:33 [EMAIL PROTECTED] [EMAIL PROTECTED] Virus Scanner
TestEICAR Test Virus clamscan: 0.65. spamassassin: 2.61.
08/03/2004 11:02:49 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: MW, little
horseshoe which Illegal breakage found in header name - potential virus clamscan:
0.65. spamassassin: 2.61.
08/03/2004 11:07:45 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: QIMJ, and here
occurredIllegal breakage found in header name - potential virus clamscan: 0.65.
spamassassin: 2.61.
08/03/2004 11:32:30 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: OJ, was lit with
Illegal breakage found in header name - potential virus clamscan: 0.65.
spamassassin: 2.61.
08/03/2004 11:41:10 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: XWHRNPYY, such
a crowd! Illegal breakage found in header name - potential virus clamscan: 0.65.
spamassassin: 2.61.
08/03/2004 11:48:07 [EMAIL PROTECTED] [EMAIL PROTECTED] Re: RGEDJBH, madame
belomuts grief Illegal breakage found in header name - potential virus clamscan:
0.65. spamassassin: 2.61.
Any help would be appreciated.
Jeff
�†+��×zf¢–+,¦‰ìo"�0¸§»�îâj[�ç{±¶ëh®&¥¦·¬z{^u¼ƒjxž•��n)ì>·¬‰×µ©Ý�C¨|g§NŠ-yÈg¢Z
‰ë�yªçz÷«ÊØbž�ë¢gîÖz{Z–Ëh³+-zfš)â²ÚÚ*'†Ûiÿö�Ê&ý§bw^;Ñe¡Èßü¢—%‰É�•©š¾ë�®ÉŠX§‚X¬´)Z™«î±êì–+-²Ê.Ç¢¸�ëa¶Úlÿùb²Û,¢êÜyú+éÞùb²Û?–+-ŠwèýÉZ™«î±êì
