On 12/11/10 20:01, schrieb TAN BUI wrote: > We are running ClamAV 96.5 on Slamd64 machines with freshclam > running every hour to update the virus database; Besides the > official ClamAV database, we also download those from > Sanesecurity, SecurityInfo, MalwarePatrol once a day.The > servers run sendmail 8.14.3 with mimedefang 2.66 calling ClamAV. > All messages are scanned and delivered if they are virus-free; > if detected as virus-laden, the messages will be quarantined in > a specific sub-directory on the same mail servers where we can > retrieve to examine, if necessary. > > Some users have their mail forwarded to an account on another > system where Sophos is being used. Since October 28, we have > been notified by the mail administrator of that system some > messages forwarded from our mail servers are detected by > Sophos (running on their mail server) as infected with > Mal/Phish-A . Unfortunately, we do not have the infected > messages since they are considered "clean" by ClamAV on > our mail servers and their mail server does not keep a copy > of infected messages. > > We are wondering if anyone else also experience this kind of > problem. As ClamAV et al. name viruses differently from Sophos, > we don`t know for sue if ClamAV is detecting Mal/Phish-A . > The Sophos site gives three aliases for Mal/Phish-A: PHISH/CartasiFraud, PHISH/HSBC and Trojan:JS/Cardst. Searching the clamav database I can find one instance of cardst which is Trojan.JS.Cardst with an ASCII signature of "nction click() { if (event.button==2) { window.moveto(0, 0) window.moveto(1, 1) window.moveto(2, 2) window.moveto(3, 3) win" so it would appear that clamav should be at least partially effective against this.
-Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml