[Avcheck] Undelivered Mail Returned to Sender (fwd)

Marcio Merlone mm@surf.com.br
Thu, 13 Feb 2003 09:54:07 -0200 

Em Wed, 12 Feb 2003 22:37:13 +0100, "Milan P. Stanic"
<mps@rns-nis.co.yu> escreveu:

(...)
> It has support for MIME in libclam, but it looks like it does not
> work or I don't know how to prove it. In the README file they mention
> MIME header but without explanation if that works.
> 
> It detects eicar.txt in attachment but didn't catch eicar.zip, in
> my testing at least.

According to their documentation, it has built-in support for RAR
(2.0), Zip, Gzip.


My tests:

[mmerlone@merlone clamav-0.54]$ clamscan -r --infected
/home/mmerlone/src/clamav-0.54/test/test1: ClamAV-Test-Signature FOUND
/home/mmerlone/src/clamav-0.54/test/test2.zip: ClamAV-Test-Signature
FOUND/home/mmerlone/src/clamav-0.54/test/test3.rar:
ClamAV-Test-Signature FOUND
/home/mmerlone/src/clamav-0.54/message.eml: Exploit.IFrame
FOUND
/home/mmerlone/src/clamav-0.54/message.zip: Exploit.IFrame
FOUND
/home/mmerlone/src/clamav-0.54/message.tgz: Exploit.IFrame FOUND

----------- SCAN SUMMARY -----------
Known viruses: 7528
Scanned directories: 36
Scanned files: 355
Infected files: 6
Data scanned: 6.16 Mb
I/O buffer size: 131072 bytes
Time: 9.619 sec (0 m 9 s)
[mmerlone@merlone clamav-0.54]$ 

It found 3 test files and 3 infected archives with real viruses (from my
inbox ;)), naked, zipped and tgz'd.

Second test, sent myself those virus attached. My amavis is configured
to DONT umpack zipped or tgz files, it lets clamav do it. The logs:

Feb 13 09:45:12 10.0.0.3 postfix/smtpd[27084]: 96860304477D:
client=x[x] Feb 13 09:45:14 10.0.0.3
postfix/cleanup[28197]: 96860304477D:
message-id=<20030213094608.0edd4c9a.marcio@x.com> Feb 13
09:45:14 10.0.0.3 postfix/qmgr[26549]: 96860304477D:
from=<marcio@x.com>, size=143384, nrcpt=1 (queue active) Feb 13
09:45:15 10.0.0.3 postfix/lmtp[20385]: 96860304477D:
to=<mmerlone@x.net>, relay=127.0.0.1[127.0.0.1], delay=3,
status=sent (250 2.7.0 Ok, discarded, id=10670-01-444 - VIRUS:
Exploit.IFrame, Exploit.IFrame) 


But I did test with eicar.txt, zip and tgz and none where found... try
with another virus to see what happens.


--

    Marcio Merlone