On Mon, 26 Apr 2004 at 18:36:18 +0100, Rob wrote: > I'm seeing a number of false positives on Worm.Gibe.F using clamav-0.70 > fully up to date (on FreeBSD 5.2-CURRENT). I've scanned the apparent > hits using up to date Kaspersky, F-Prot and Sophos and none find > anything. This is probably because they've already been cleaned along > the way :) > > If I unpack the email (using munpack) then clamav doesn't find anything > in the 2 text, one HTML and 2 GIF files (both appear legit). I assume > it's triggering on something other than an actual signature of malicious > code, but the signature of the mail itself (particularly as clamscan > detects it WITHOUT --mbox). > > I can stick a sample of the email in question somewhere if people want, > but I doubt that my results are unique. I've got 77 samples from the > last 2 weeks :) >
This is an intended behaviour. There was a long discussion in September 2003 whether we should detect (and block) damaged samples of Worm.Gibe.F. In the end we decided: yes. Such messages, though not containing executable viruses, are the result of the virus and were very troublesome and - by end users - not easily differentiated from real viruses. I'm including a message from that thread: --------------------------------------------------------------------------- >From [EMAIL PROTECTED] Sun Sep 21 02:27:04 2003 Subject: RE: [Clamav-users] RE: UPDATE81.exe getting thru Message-ID: <[EMAIL PROTECTED]> From: "Diego d'Ambra" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Date: Sun, 21 Sep 2003 02:23:28 +0200 > -----Original Message----- > From: Noel Jones [mailto:[EMAIL PROTECTED] > Sent: 20. september 2003 20:13 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] RE: UPDATE81.exe getting thru > > On Sat, Sep 20, 2003 at 12:39:33PM -0500, Daniel J McDonald wrote: > > > > Thus, I would prefer that clamav be able to determine if it appears to > > be a virus, even one damaged to the point of non-existance. > > maybe someone could post a signature for the gif here and those who > wish to block it can add it to a "local.db" file. > > -- > Noel Jones > A signature that detects damaged e-mails containing only a part of the Worm.Gibe.F has now been added to the DB. The signature is matching a part of the text and multiple parts of the images imbedded in e-mails sent by Gibe.F. Best regards, Diego d'Ambra ----------------------------------------------------------------------- -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
