Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
On Mon, 26 Oct 2009 22:46:49 +0200 Jari Fredriksson ja...@iki.fi wrote: Detected by F-Prot and BitDefender, but not ClamAV. But then manually scanning the attachement, clamscan detects it. This is strange. It happens only with these DHL postings. Hi Jari, please report the problem to the amavisd-new maintainers. Thanks, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Oct 27 11:56:10 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
On Fri, 23 Oct 2009 17:25:36 +0300 Jari Fredriksson ja...@iki.fi wrote: This may or may not be an amavisd-new question, but I start here. [...] This DHL payload is only malware which behaves like this for me. Any ideas? Hi Jari, you need to uncomment this line in amavisd-new config file: qr'^MAIL$', # retain full original message for virus checking (can be slow) Regards, -- oo. Tomasz Kojm tk...@clamav.net (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Oct 26 12:32:21 CET 2009 ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
26.10.2009 13:43, Tomasz Kojm kirjoitti: On Fri, 23 Oct 2009 17:25:36 +0300 Jari Fredriksson ja...@iki.fi wrote: This may or may not be an amavisd-new question, but I start here. [...] This DHL payload is only malware which behaves like this for me. Any ideas? Hi Jari, you need to uncomment this line in amavisd-new config file: qr'^MAIL$', # retain full original message for virus checking (can be slow) Thanks, but it was already uncommented in my /etc/amavis/conf.d/20-debian_defaults -- http://www.iki.fi/jarif/ Your boss is a few sandwiches short of a picnic. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
On 2009-10-23 19:46, Jari Fredriksson wrote: 23.10.2009 17:25, Jari Fredriksson kirjoitti: This may or may not be an amavisd-new question, but I start here. Now things changed a bit. That was detected, but with a MIME error. Did you change anything, or did it change with a signature update? Cheers. -- A virus was found: Bad header: MIME error: error: part did not end with expected boundary This message is not coming from ClamAV. It looks like amavisd-new cannot MIME-decode the message (perhaps because it is intentionally non-RFC conforming), and shows an error. Still since ClamAV did detect a Virus, it should classify it as a virus. Doesn't it? Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 16851-07/Zh1IxQou4Qc0 First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [93.83.198.166], 93.83.198.166 Return-Path: deliv...@dhl-usa.com From: Manager Collin Escobar deliv...@dhl-usa.com Message-ID: 000d01ca53fe$a0163910$6400a...@chowderedh Subject: DHL Express Services. Please get your parcel NR.25483 The message has been quarantined as: Z/virus-Zh1IxQou4Qc0 Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=16851-07 - INFECTED: Virus scanner output: p004: Suspect.Bredozip-zippwd-2 FOUND p002: Suspect.Bredozip-zippwd-2 FOUND Looks like ClamAV is working properly, right? Best regards, --Edwin ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
26.10.2009 19:45, Török Edwin kirjoitti: On 2009-10-23 19:46, Jari Fredriksson wrote: 23.10.2009 17:25, Jari Fredriksson kirjoitti: This may or may not be an amavisd-new question, but I start here. Now things changed a bit. That was detected, but with a MIME error. Did you change anything, or did it change with a signature update? No. But *that* happened only once, so it might have been some kind of malfunction in amavis or in the email itself. Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 16851-07/Zh1IxQou4Qc0 First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [93.83.198.166], 93.83.198.166 Return-Path: deliv...@dhl-usa.com From: Manager Collin Escobar deliv...@dhl-usa.com Message-ID: 000d01ca53fe$a0163910$6400a...@chowderedh Subject: DHL Express Services. Please get your parcel NR.25483 The message has been quarantined as: Z/virus-Zh1IxQou4Qc0 Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=16851-07 - INFECTED: Virus scanner output: p004: Suspect.Bredozip-zippwd-2 FOUND p002: Suspect.Bredozip-zippwd-2 FOUND Looks like ClamAV is working properly, right? Indeed. But again the latest of that breed: A virus was found: W32/Bredolab!Generic Banned name: .exe,.exe-ms,DHL_package_label_295aa.exe Scanners detecting a virus: F-PROT Antivirus for UNIX, BitDefender Content type: Virus Internal reference code for the message is 11679-19/A5+k6kl3BppJ First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [207.253.37.144], 207.253.37.144 Return-Path: servi...@dhl-usa.com From: Manager Tami Mcgee servi...@dhl-usa.com Message-ID: 000d01ca55d0$f97d56e0$6400a...@cadaverousw Subject: DHL Delivery Services. You should get the parcel NR.92234 The message has been quarantined as: A/virus-A5+k6kl3BppJ Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=11679-19 - INFECTED: W32/Bredolab!Generic Virus scanner output: [Found virus] W32/Bredolab!Generic p004 [Found worm] EML/Bredolab.gen (exact) p001 Detected by F-Prot and BitDefender, but not ClamAV. But then manually scanning the attachement, clamscan detects it. This is strange. It happens only with these DHL postings. signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] Why does ClamAV does not detect this via amavisd-new
23.10.2009 17:25, Jari Fredriksson kirjoitti: This may or may not be an amavisd-new question, but I start here. Now things changed a bit. That was detected, but with a MIME error. Cheers. -- A virus was found: Bad header: MIME error: error: part did not end with expected boundary Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 16851-07/Zh1IxQou4Qc0 First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [93.83.198.166], 93.83.198.166 Return-Path: deliv...@dhl-usa.com From: Manager Collin Escobar deliv...@dhl-usa.com Message-ID: 000d01ca53fe$a0163910$6400a...@chowderedh Subject: DHL Express Services. Please get your parcel NR.25483 The message has been quarantined as: Z/virus-Zh1IxQou4Qc0 Notification to sender will not be mailed. The message WAS NOT relayed to: s...@wellington.fredriksson.dy.fi: 250 2.7.0 Ok, discarded, id=16851-07 - INFECTED: Virus scanner output: p004: Suspect.Bredozip-zippwd-2 FOUND p002: Suspect.Bredozip-zippwd-2 FOUND signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
