On Thu, Nov 15, 2012 at 4:25 PM, McGranahan, Jamen < [email protected]> wrote:
> OK, I'm stumped as to why clamav-milter did not catch this virus. It was > from this address, being masked as from UPS: > > [email protected]<mailto:[email protected]>, masked as > [email protected]<mailto: > [email protected]> > > Nov 14 14:13:33 XXXXXX sendmail[13983]: qAEKDT7f013983: from=< > [email protected]<mailto:[email protected]>>, size=3297, class=0, > nrcpts=1, > msgid=<ca5501cdc2ac$e6c228e0$a87b5229@customerdesk_upsdeliveryservices>, > proto=ESMTP, daemon=MTA, relay=[41.82.123.168] > Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert > (1): header: X-Virus-Scanned: clamav-milter 0.97.6 at xxxx.xxxx.edu > Nov 14 14:13:33 libdig10 sendmail[13983]: qAEKDT7f013983: Milter insert > (1): header: X-Virus-Status: Clean > > It actually missed it on two servers. Thankfully our network security > caught it before it went out. Here's what they detected the virus as: > > "It was detected as Blacole.OZ (Blackhole rootkit stuff). > Incident Name: Blacole.OZ > File: Invoices-14-2012.htm" > > Jamen McGranahan > Systems Services Librarian > Vanderbilt University LIbrary > Central Library > Room 811 > 419 21st Avenue South > Nashville, TN 37214 > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > Good question. Any chance you can submit the attachment to us by using the "Submit a file" link on www.clamav.net? Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team [email protected] _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
