I recently ran into a virus that amavisd-new/clamd doesn't detect but clamscan does.
I'm running clamav-0.85 on FreeBSD 4.5. Here's the results from clamscan: root edoras[25]: clamscan --debug email-doc.scr LibClamAV debug: CVD -> No creation time in seconds (old file format) LibClamAV debug: Loading databases from /var/db/clamav LibClamAV debug: Loading /var/db/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.db LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.hdb LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.ndb LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.zmd LibClamAV debug: Unpacking /var/tmp//clamav-626b2f632dcfa3b1/main.fp LibClamAV debug: Loading databases from /var/tmp//clamav-626b2f632dcfa3b1 LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.ndb LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.zmd LibClamAV debug: Loading /var/tmp//clamav-626b2f632dcfa3b1/main.fp LibClamAV debug: Loading /var/db/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 28f45cc32498c82312899352df1686c3 LibClamAV debug: Decoded signature: 28f45cc32498c82312899352df1686c3 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/COPYING LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.db LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.hdb LibClamAV debug: Unpacking /var/tmp//clamav-13af5a94b984433c/daily.ndb LibClamAV debug: Loading databases from /var/tmp//clamav-13af5a94b984433c LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.db LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.hdb LibClamAV debug: Loading /var/tmp//clamav-13af5a94b984433c/daily.ndb LibClamAV debug: Recognized DOS/W32 executable/library/driver file LibClamAV debug: Worm.Mytob.BN-1 found in descriptor 5. email-doc.scr: Worm.Mytob.BN-1 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 34297 Engine version: 0.85 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.03 MB Time: 10.840 sec (0 m 10 s) Here's the output from clamdscan: root edoras[21]: clamdscan --config-file=/usr/local/etc/clamd-debug.conf email-doc.scr /var/tmp/email-doc.scr: OK ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.381 sec (0 m 0 s) ... and here's the output from clamd? root edoras[43]: /usr/local/sbin/clamd -c /usr/local/etc/clamd-debug.conf LibClamAV debug: Setting /var/tmp as global temporary directory LibClamAV debug: Loading databases from /var/db/clamav LibClamAV debug: Loading /var/db/clamav/main.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Decoded signature: 97483b1d8189548e820e8a3f4bef787b LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/COPYING LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.db LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.hdb LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.ndb LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.zmd LibClamAV debug: Unpacking /var/tmp/clamav-5c859521fba63e28/main.fp LibClamAV debug: Loading databases from /var/tmp/clamav-5c859521fba63e28 LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.ndb LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.zmd LibClamAV debug: Loading /var/tmp/clamav-5c859521fba63e28/main.fp LibClamAV debug: Loading /var/db/clamav/daily.cvd LibClamAV debug: in cli_cvdload() LibClamAV debug: MD5(.tar.gz) = 28f45cc32498c82312899352df1686c3 LibClamAV debug: Decoded signature: 28f45cc32498c82312899352df1686c3 LibClamAV debug: Digital signature is correct. LibClamAV debug: in cli_untgz() LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/COPYING LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.db LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.hdb LibClamAV debug: Unpacking /var/tmp/clamav-02a276c9ad19f14a/daily.ndb LibClamAV debug: Loading databases from /var/tmp/clamav-02a276c9ad19f14a LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.db LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.hdb LibClamAV debug: Loading /var/tmp/clamav-02a276c9ad19f14a/daily.ndb LibClamAV debug: set stacksize to 262144 LibClamAV debug: Raw mode: No support for special files LibClamAV debug: Type: 0, expected: 502 (Worm.Mytob.BN-1) LibClamAV debug: Calculated MD5 checksum: aa11b5ec238c1de2c674da1418b4de69 The "Type: 0, expected: 502 (Worm.Mytob.BN-1)" line is interesting because it shows the virus name that clamscan detects. Is this a clue? Thanks, -- Bob _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
