Hello, For the first time since installing clamav on our mail server over 6 months ago, we have had a virus get through. It was picked up on the users desktop by Symantec corporate AV as Netsky.P. I did some research and this is what i have found:
First of all, i do not have the message in original form because it as popped down to outlook before i was able to look at it. All i have is the message copy/pasted from outlook into a text file. This message was a bounce notice from some other mail server and the only reason it came to my server is because a user of mine was used as the spoofed from address. If i scan this text file, clamscan 0.70 does not find any virus. If i remove the lines below: ------------------------------------------ -----Original Message----- From: Mail Delivery System [mailto:[EMAIL PROTECTED] Sent: Thursday, May 20, 2004 10:21 AM To: ADDRESS REMOVED Subject: Mail delivery failed: returning message to sender This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: [EMAIL PROTECTED] This message has been rejected because it has a potentially executable attachment "letter43.txt .pif" This form of attachment has been used by recent viruses or other malware. If you meant to send this file then please package it up as a zip file and resend it. ------ This is a copy of the message, including all the headers. ------ ------------------------------------------ from the top of the message, then clamscan finds Worm.SomeFool.P. So basically, it appears that this message got through because it was a bounce notice and not the original message itself. I am running clamav 0.70 on redhat 9 using qmail-scanner 1.22. What i really dont understand is why adding a couple of lines at the top of the message prevents clamav from detecting the virus. Is there anything that can be done about this? Do i need to provide more information? I have the (mostly) original message if it would help at all but since it is from outlook and not the original from the server itself, i dont assume it would help much. Thanks for any help Jim Maul Eastern Long Island Hospital 631-477-5417 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
