Frode Egeland wrote: > Hi all,
Howdy. > I'm not 100% sure this is the correct list to ask this, but as the problem > relates to ClamAV, I hope someone will have the answer for me. > > I've got a mail filter server set up, running postfix, amavisd-new, > SpamAssassin and ClamAV. > This morning, it was found that a worm had somehow gotten in through this, by > being in a zip file (which a user naturally opened). > > I have "ScanArchive" in my clamd.conf and amavisd-new *should* be set up to > scan zip files, so I don't know why is would have been missed? I got a sample > of the worm, and ClamAV (the online web scan) detected it (inside the zip). > > Any hints will be very much appreciated! Was the zip file encrypted? Doesn't sound like it was since you ran it through the online scanner, but those are potentially the only zip files that can pass through. What version of clamav are you using? or more to the point, does your local installation detect the virus inside the zip file? (e.g. clamscan sample.zip). What we're looking at here is if your local virus signatures database is up to date, the online scan showed that the virus is recognized in the current database but perhaps your local one is not updated (hint: freshclam should be executed at least once a day). HTH -- Ren� Berber _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
