[Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefang timeout

Thu, 12 Feb 2004 13:17:04 -0800 

"David F. Skoll" wrote:
> 
> On Thu, 12 Feb 2004, Shawn Button wrote:
> 
> > If uvscan is problematic can anyone suggest a good, solid antivirus that will
> > run on RH Ent 3?
> 
> ClamAV.  http://www.clamav.net/  It's free!
> 
> See also http://www.securityfocus.com/archive/1/353379/2004-02-09/2004-02-15/2
> 

(Note: Some of these issues were discussed in my previous posting on ClamAV vs. 
uvscan. 
However, I would like to rephrase my original questions and try to get a better 
understanding 
of what all the issues involved are.)

First, I agree that ClamAV is very fast about getting out sigs. However, under MD, the 
ClamAV 
sigs often do not catch attachments that are base64 encoded -- usually meaning bounced 
viruses. 
We also run uvscan (under Solaris) as a second AV scanner and it catches these that 
ClamAV 
misses. 

The biggest issue I have is, when you submit a virus sample that is base64 encoded, 
and say that 
ClamAV under MD missed it, ClamAV's response is 'duplicate sample - clamd under 
AMaViSD-new 
detects XXX virus/worm'.

So, this brings up a few questions:
  1) What is AMaViSD-new doing that MD isn't. (We abandoned AMaViSD a couple of years 
back and
     I really don't want to even have to consider that as an option to solve this 
problem!)

  2) Isn't it relatively easily to decode a base64 attachment? What are the issues 
with doing so?

  3) Is it possible to create a signature for a base64 encoded attachment? If so, do 
AV companies
     usually provide base64 sigs for each new virus/worm? If not, why not? Or, is this 
just an
     issue where ClamAV is not providing such signature?
   
I guess the bottom line issue is why does running ClamAV under AMaViSD-new catch 
things that MD
does not, and should this be considered a MD problem, a ClamAV problem, or both?

Thanks!
Jon
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.


_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to