On 12/11/10 20:01, schrieb TAN BUI wrote:
> We are running ClamAV 96.5 on Slamd64 machines with freshclam
> running every hour to update the virus database; Besides the
> official ClamAV database, we also download those from
> Sanesecurity, SecurityInfo, MalwarePatrol once a day.The
> servers run sendmail 8.14.3 with mimedefang 2.66 calling ClamAV.
> All messages are scanned and delivered if they are virus-free;
> if detected as virus-laden, the messages will be quarantined in
> a specific sub-directory on the same mail servers where we can
> retrieve to examine, if necessary.
>
> Some users have their mail forwarded to an account on another
> system where Sophos is being used. Since October 28, we have
> been notified by the mail administrator of that system some
> messages forwarded from our mail servers are detected by
> Sophos (running on their mail server) as infected with
> Mal/Phish-A . Unfortunately, we do not have the infected
> messages since they are considered "clean" by ClamAV on
> our mail servers and their mail server does not keep a copy
> of infected messages.
>
> We are wondering if anyone else also experience this kind of
> problem. As ClamAV et al. name viruses differently from Sophos,
> we don`t know for sue if ClamAV is detecting Mal/Phish-A .
>
The Sophos site gives three aliases for Mal/Phish-A: PHISH/CartasiFraud,
PHISH/HSBC and Trojan:JS/Cardst. Searching the clamav database I can find
one instance of cardst which is Trojan.JS.Cardst with an ASCII signature of
"nction click() { if (event.button==2) { window.moveto(0, 0)
window.moveto(1, 1) window.moveto(2, 2) window.moveto(3, 3) win" so it would
appear that clamav should be at least partially effective against this.
-Al-
--
Al Varnell
Mountain View, CA
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
