[Clamav-users] Online scanner vs Sendvirus.cgi
Hello, I have just found a message which was trapped with sanitizer because of dangerous attachment (message.scr) and I thought it was a new worm. I checked it against clamav online scanner which reported the following: ClamAV 0.80/572/Wed Nov 3 11:48:18 2004 ClamAV scans the file ... Clamav-Output: /tmp/php7TNJzC: OK Clamav DID NOT identify your sample as malicious content If you really think your sample is a virus or any other harmful thing clamav should detect please go to http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi and submit the virus. I submited the sample but got the following output: Result: This virus is already recognized by ClamAV 0.80/572/Wed Nov 3 05:48:18 2004 as Broken.Executable . Be careful when submitting samples and remember to run freshclam! Please correct the above errors and retry. I though I missed something and repeated the process but got the same result. Any ideas? Best Regards, -- George Chelidze ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Online scanner vs Sendvirus.cgi
On Thu, 04 Nov 2004 at 11:48:35 +0300, George Chelidze wrote: Hello, I have just found a message which was trapped with sanitizer because of dangerous attachment (message.scr) and I thought it was a new worm. I checked it against clamav online scanner which reported the following: ClamAV 0.80/572/Wed Nov 3 11:48:18 2004 ClamAV scans the file ... Clamav-Output: /tmp/php7TNJzC: OK Clamav DID NOT identify your sample as malicious content If you really think your sample is a virus or any other harmful thing clamav should detect please go to http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi and submit the virus. I submited the sample but got the following output: Result: This virus is already recognized by ClamAV 0.80/572/Wed Nov 3 05:48:18 2004 as Broken.Executable . Be careful when submitting samples and remember to run freshclam! Please correct the above errors and retry. I though I missed something and repeated the process but got the same result. Any ideas? Seems that the scanner at sendvirus.cgi uses the DetectBrokenExecutables option while clamav online scanner - not. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/iso/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Online scanner vs Sendvirus.cgi
Tomasz Papszun wrote: On Thu, 04 Nov 2004 at 11:48:35 +0300, George Chelidze wrote: Hello, I have just found a message which was trapped with sanitizer because of dangerous attachment (message.scr) and I thought it was a new worm. I checked it against clamav online scanner which reported the following: ClamAV 0.80/572/Wed Nov 3 11:48:18 2004 ClamAV scans the file ... Clamav-Output: /tmp/php7TNJzC: OK Clamav DID NOT identify your sample as malicious content If you really think your sample is a virus or any other harmful thing clamav should detect please go to http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi and submit the virus. I submited the sample but got the following output: Result: This virus is already recognized by ClamAV 0.80/572/Wed Nov 3 05:48:18 2004 as Broken.Executable . Be careful when submitting samples and remember to run freshclam! Please correct the above errors and retry. I though I missed something and repeated the process but got the same result. Any ideas? Seems that the scanner at sendvirus.cgi uses the DetectBrokenExecutables option while clamav online scanner - not. So is it a bad idea to enable the same in online scanner? It will save a little bandwidth... Best Regards, -- George Chelidze ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Online scanner vs Sendvirus.cgi
George Chelidze wrote: Seems that the scanner at sendvirus.cgi uses the DetectBrokenExecutables option while clamav online scanner - not. So is it a bad idea to enable the same in online scanner? It will save a little bandwidth... Bad, because broken executables are not 100% virus. Also bad, because it is not enabled by default on a standard installation. ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Online scanner vs Sendvirus.cgi
George Chelidze wrote: Tomasz Papszun wrote: On Thu, 04 Nov 2004 at 11:48:35 +0300, George Chelidze wrote: Hello, I have just found a message which was trapped with sanitizer because of dangerous attachment (message.scr) and I thought it was a new worm. I checked it against clamav online scanner which reported the following: ClamAV 0.80/572/Wed Nov 3 11:48:18 2004 ClamAV scans the file ... Clamav-Output: /tmp/php7TNJzC: OK Clamav DID NOT identify your sample as malicious content If you really think your sample is a virus or any other harmful thing clamav should detect please go to http://clamav.sourceforge.net/cgi-bin/sendvirus.cgi and submit the virus. I submited the sample but got the following output: Result: This virus is already recognized by ClamAV 0.80/572/Wed Nov 3 05:48:18 2004 as Broken.Executable . Be careful when submitting samples and remember to run freshclam! Please correct the above errors and retry. I though I missed something and repeated the process but got the same result. Any ideas? Seems that the scanner at sendvirus.cgi uses the DetectBrokenExecutables option while clamav online scanner - not. So is it a bad idea to enable the same in online scanner? It will save a little bandwidth... Best Regards, I think it's perfectly rigth to set this option on ,if - and only if - users do know what it means. Online scanner should describe this Broken.Executable as not malware or possible malware and should propose to use other scanner also to test it.Anyway Broken.Executable could eventually *broke* Your system if You use Windows 9X Regards Bogusaw Brandys ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Re: [Clamav-users] Online scanner vs Sendvirus.cgi
Hello, Fajar A. Nugraha wrote: George Chelidze wrote: Seems that the scanner at sendvirus.cgi uses the DetectBrokenExecutables option while clamav online scanner - not. So is it a bad idea to enable the same in online scanner? It will save a little bandwidth... Bad, because broken executables are not 100% virus. I don't mean they should be marked as virus. The fact is that file isn't ok, it's already in base as broken executable. Also bad, because it is not enabled by default on a standard installation. We are not talking about adding this option to default options list. The online scanner is often used to check a file against known threats and if it's not detected by scanner (marked as OK) and suspected to be a new virus, it's submited to clamav team. Before you get back This virus is already recognized... message actually should be uploaded to server and should be checked once again (correct me if I am wrong) which is extra bandwidth and cpu power. Hope I made myself clear. Best Regards, -- George Chelidze ___ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users