Re: [Clamav-users] How to test ClamAV
Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? It's either that or disable my workstation AV and server AV to send one out and back in that way - kind of a pain. Thanks! On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones njo...@megan.vbhcs.org wrote: Steve Basford wrote: Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) I received the same thing. My ISP probably filtered out the others. My ISP does no filtering; either the test messages were blocked at the source (ISP/webhost egress filtering) or they were never sent. As for the encrypted files, nothing can check inside an encrypted zip, but they can be blocked based on a file name inside the zip, or clamd can mark all encrypted zips by setting ArchiveBlockEncrypted yes in clamd.conf At any rate, this test appears useless. Find another one. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) My ISP probably filtered out the others. I can't see ClamAV detecting these two... as it doesn't know the password to decide the insides) eicarpasswd.zip (new! - zip compressed eicar.com with password) eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file) You could add a signature to detect the above.. but it would ONLY work with the above EICAR test and the SAME password. Cheers, Steve Sanesecurity ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
You'll need to find a nastie that your local/server AV don't detect, but ClamAV does. Or make an exception for a file extention... rename eicar.txt to eicar.z43 (something random) and make sure your server and local av will ignore that file extention. On Fri, Feb 6, 2009 at 10:45 AM, Alex Davidson davidson.a...@gmail.comwrote: Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? It's either that or disable my workstation AV and server AV to send one out and back in that way - kind of a pain. Thanks! On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones njo...@megan.vbhcs.org wrote: Steve Basford wrote: Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) I received the same thing. My ISP probably filtered out the others. My ISP does no filtering; either the test messages were blocked at the source (ISP/webhost egress filtering) or they were never sent. As for the encrypted files, nothing can check inside an encrypted zip, but they can be blocked based on a file name inside the zip, or clamd can mark all encrypted zips by setting ArchiveBlockEncrypted yes in clamd.conf At any rate, this test appears useless. Find another one. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- -Xinn.org Security, and Sanity Solutions The makers of ClearSite NMS. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Steve Basford wrote: Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) I received the same thing. My ISP probably filtered out the others. My ISP does no filtering; either the test messages were blocked at the source (ISP/webhost egress filtering) or they were never sent. As for the encrypted files, nothing can check inside an encrypted zip, but they can be blocked based on a file name inside the zip, or clamd can mark all encrypted zips by setting ArchiveBlockEncrypted yes in clamd.conf At any rate, this test appears useless. Find another one. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Andy wrote: You'll need to find a nastie that your local/server AV don't detect, but ClamAV does. Or make an exception for a file extention... rename eicar.txt to eicar.z43 (something random) and make sure your server and local av will ignore that file extention. It's not that difficult if you've properly set up the system to check for outgoing viruses as well as incoming viruses. You need only send a sample virus to a friend or test address. ClamAV doesn't care which way the bug is going - it should reject it before it leaves the building. Checking for outgoing viruses does seem to be an alien concept for some mail admins, though. dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Alex Davidson wrote: Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? There is a test tool at http://tools.declude.com/ under the Virus Test heading. There are a bizillioin options for sending the virus. The only tests that really count are the Plain base64 MIME encoded and Zip file. Clam should detect those. The rest appear to be mostly marketing fluff; don't be too concerned if clam doesn't detect them. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Hello Alex, I don't have a definitive test either. I have recently installed ClamAV on my gateway/router/firewall/smtp Linux box. I tried the canned test as suggested in the ClamAV doco but I could not see anything definitive. I agree that a real email from the outside would be a definitive test. Since ClamAV is running on a Linux box a Windows virus in an email attachment would be the best test without actually exposing the Linux box to compromise. I must admit that I would be reluctant to do this myself as the reason I installed ClamAV is I recently rid my local Windows boxes of a vicious browser hijack trojan. The source of this trojan was in all-likelihood not from email but from a link embedded in a normal html page. BTW: what is the EICAR test I will try this myself. Regards, :-), David. Alex Davidson wrote .. Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? It's either that or disable my workstation AV and server AV to send one out and back in that way - kind of a pain. Thanks! On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones njo...@megan.vbhcs.org wrote: Steve Basford wrote: Alex Davidson wrote: send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. I tried to send the 7 tests to my main address... only 3 arrived (the clean one - and 2 of the password protected one) I received the same thing. My ISP probably filtered out the others. My ISP does no filtering; either the test messages were blocked at the source (ISP/webhost egress filtering) or they were never sent. As for the encrypted files, nothing can check inside an encrypted zip, but they can be blocked based on a file name inside the zip, or clamd can mark all encrypted zips by setting ArchiveBlockEncrypted yes in clamd.conf At any rate, this test appears useless. Find another one. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Hello Noel, yep it worked. The eicar message was found but not before a user with enough time to open the mail message and the attachement. And, it is difficult to tell exactly which message is the culprit because all I see from the CRON log email is: /Maildir/cur/1233939406.Vfd00I270080M968444.davidwbrown.name:2,S: Eicar-Test-Signature FOUND And, the gadgetry set-up to automatically send email to users with FOUND signatures did not trigger. I suppose I need to run ClamAV as daemon and ditch the CRON job. Thanks, David. Noel Jones wrote .. Alex Davidson wrote: Interesting...if I create a plain text email with the eicar text in it, ClamAV detects it successfully. Can anyone suggest another way to send myself a non-password-protected/encrypted attachment that ClamAV might have a chance at detecting? There is a test tool at http://tools.declude.com/ under the Virus Test heading. There are a bizillioin options for sending the virus. The only tests that really count are the Plain base64 MIME encoded and Zip file. Clam should detect those. The rest appear to be mostly marketing fluff; don't be too concerned if clam doesn't detect them. -- Noel Jones ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] How to test ClamAV
I am running ClamAV tying into ASSP on Debian 4. To test ClamAV I have tried using http://www.aleph-tec.com/eicar/index.php to send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. Does anyone know of any problems with ClamAV tied into ASSP? Conversely, can anyone confirm ClamAV detecting EICAR successfully? I've tried ASSP on Windows, Ubuntu and Debian, and in each case EICAR fails to be detected. You have to wonder if it's the integration with ASSP that's at fault. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
Alex Davidson wrote: I am running ClamAV tying into ASSP on Debian 4. To test ClamAV I have tried using http://www.aleph-tec.com/eicar/index.php to send myself EICAR test virus strings but firstly only 3 of the 7 tests hit my mail server, and secondly ClamAV doesn't detect anything, yet the next-level AV detects it just fine. What is being logged by the ClamAV software? dp ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[Clamav-users] How to test ClamAV?
Ok, so how do I test ClamAV? There is no mention of this in http://www.clamav.net/support/faq I did find on the Wiki the following, but it's out of date, clam.cab is no longer shipped with the 0.94.2 tar.gz source distribution: * The following files are included into clamav-*.tar.gz and are not dangerous: clam.cab clam-error.rar clam.exe clam.exe.bz2 clam.rar clam.zip Output shall be: clam-error.rar: RAR module failure clam.cab: ClamAV-Test-File FOUND clam.exe: ClamAV-Test-File FOUND clam.exe.bz2: ClamAV-Test-File FOUND clam.rar: ClamAV-Test-File FOUND clam.zip: ClamAV-Test-File FOUND So where do people get viruses to test ClamAV with? Best, -- Aleksey Tsalolikhin UNIX System Administrator I get stuff done! http://www.lifesurvives.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV?
When you compile ClamAV, use --enable-check (iirc) and make sure you have check installed. Then, when it is done compiling, you can run `make check` and it will check itself :-). On Fri, Dec 5, 2008 at 5:06 PM, Aleksey Tsalolikhin [EMAIL PROTECTED] wrote: Ok, so how do I test ClamAV? There is no mention of this in http://www.clamav.net/support/faq I did find on the Wiki the following, but it's out of date, clam.cab is no longer shipped with the 0.94.2 tar.gz source distribution: * The following files are included into clamav-*.tar.gz and are not dangerous: clam.cab clam-error.rar clam.exe clam.exe.bz2 clam.rar clam.zip Output shall be: clam-error.rar: RAR module failure clam.cab: ClamAV-Test-File FOUND clam.exe: ClamAV-Test-File FOUND clam.exe.bz2: ClamAV-Test-File FOUND clam.rar: ClamAV-Test-File FOUND clam.zip: ClamAV-Test-File FOUND So where do people get viruses to test ClamAV with? Best, -- Aleksey Tsalolikhin UNIX System Administrator I get stuff done! http://www.lifesurvives.com/ ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml -- http://www.volatileminds.net ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV?
EICAR http://www.eicar.org/anti_virus_test_file.htm VX heavens http://vx.netlux.org/vl.php On Fri, Dec 5, 2008 at 6:14 PM, Brandon Perry [EMAIL PROTECTED] wrote: When you compile ClamAV, use --enable-check (iirc) and make sure you have check installed. Then, when it is done compiling, you can run `make check` and it will check itself :-). -- -Xinn.org Security, and Sanity Solutions The makers of ClearSite NMS. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV?
On Fri, Dec 05, 2008 at 03:06:41PM -0800, Aleksey Tsalolikhin wrote: Ok, so how do I test ClamAV? So where do people get viruses to test ClamAV with? Are you wanting to see that ClamAV is properly configured in your environment or are you ensuring it finds the viruses that you test it with? If you're looking to test your configuration, the easiest is with the EICAR test file. You can find out more about it at http://www.eicar.org/anti_virus_test_file.htm ClamAV should report the following when the file is scanned: clamdscan ~/eicar.com eicar.com: Eicar-Test-Signature FOUND Rob ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV?
That's great, thanks all! I've downloaded and used the EICAR test file. Best, Aleksey ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [Clamav-users] How to test ClamAV
raja semut spake thusly on Thu, Nov 09, 2006 at 01:15:44PM +0700: in Linux Fedora Core 4, i am install qmail-1.03 + qmail-scanner-2.01 + Clamav-0.90rc2 + Mail-SpamAsssassin-3.1.7. How i can make sure that Clamav is running well in my qmail server ? i try in server /etc/init.d/clamd status it show Clamd is running but why i can receive e-mail contains virus ? any one know this problem, please advice me.. thank you. --- end quoted text --- You mentioned that you are using qmail-scanner. Make sure to read the documentation for that package. You need to make sure you have the proper configuration. -- Regards, Richard Did this email or post help you? If so, please rate me at affero: http://rate.affero.net/RhunDraco pgpH9jZm6ANkR.pgp Description: PGP signature ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] How to test ClamAV
in Linux Fedora Core 4, i am install qmail-1.03 + qmail-scanner-2.01 + Clamav-0.90rc2 + Mail-SpamAsssassin-3.1.7. How i can make sure that Clamav is running well in my qmail server ? i try in server /etc/init.d/clamd status it show Clamd is running but why i can receive e-mail contains virus ? any one know this problem, please advice me.. thank you. ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] How to test ClamAV installation
Josh, Send yourself one of the test viruses that come with ClamAV. (test subdirectory) Josh wrote: I just installed MailScanner and ClamAV and I'm wondering how one tests the ClamAV installation. I've gotten a couple infected messages, but they were for wacky code in HTML emails so they are probably from MailScanner rather than ClamAV. Amazingly (ha), neither myself nor any of my coworkers have personal stashes of virii sitting around to email to each other. Is there another way to test ClamAV, or is there some place I can get a virus to test with? Qmail-scanner comes with a test email hiding a virus, but apparently MailScanner or ClamAV doesn't realize the file is there or doesn't pick it up (I think it's the EICAR virus). __ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users