Re: [Mimedefang] MD 2.43 - Missing Viruses

Mon, 31 May 2004 09:32:13 -0700 



David F. Skoll wrote:

On Mon, 31 May 2004, Albert Whale wrote:


My original testing included both clamd and clamscan configurations in MD.



Did you run Clam on the actual MIMEDefang spool directory, or on a copy
of the message in the quarantine?



Ok, well I don't have the original Quarantine file, so I did the next best thing, and that was to rerun the message (from several different servers/domains). While they all detected SPAM, none detected the virus. Seriously, I did the testing every way I could think (thanks for the offsite testing offers).

In reviewing the clamd.log log, I noticed that all of the detections had three (3) entries in the logs. I was able to track this message to the entry in the /var/log/clamd.log file. Unfortunately, this entry is a SINGLE entry:

Sat May 29 01:20:59 2004 -> /var/spool/MIMEDefang/mdefang-i4T5Kvvp010138/Work/INPUTMBOX: Worm.SomeFool.P FOUND

The mdefang-i4T5Kvvp010138 matches the header in the message: by ns.ABS-CompTech.com (8.12.10/8.12.10) with ESMTP id i4T5Kvvp010138
for <[EMAIL PROTECTED]>; Sat, 29 May 2004 01:20:58 -0400

As I indicated, the previous entries all had three lines:

Fri May 28 22:23:02 2004 -> /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND
Fri May 28 22:23:02 2004 -> /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND
Fri May 28 22:23:02 2004 -> /var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: Worm.Bagle.P FOUND


It would appear that clamd DID identify the Virus correctly. However, there is only one line entry in the logfile, while all of the other detections include three?

I'm confused.  Any NEW or Fresh Ideas?


--

Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard


_______________________________________________
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Reply via email to