[Clamav-users] RE: More tests from www.testvirus.org
On my Solaris 9 SPARC mailhost with clamav installed and using my Solaris 9 SPARC workstation with SylpheedClaws, I tested with the top section of the html page from www.testvirus.org. The virus signature file is updated twice a day. I used the released 0.65 version, which I built on 2003-12-04, and then built and installed the devel-20040107 version. Both programs had the same results. Most virus email was caught. There were three that passed the check on both versions. They are: Nbr 4) EICAR virus sent using uuencoding Nbr 5) EICAR virus sent using BinHex encoding Nbr 4) EICAR virus sent using BinHex encoding within a MIME segment. Should I be concerned about the three tests that got through? I do not care about the second section of the test virus web page, since I do not run OE. I do have OE clients, but they run their own Windows anti-virus package. Thanks, Alex --- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: More tests from www.testvirus.org
> Nbr 5) EICAR virus sent using BinHex encoding This was also missed on my ClamAV 0.65 running as clamd, however it was picked up by Amavisd-new for its extension. (Running ClamAV 0.65, Postfix 2.0.13, Amavisd-new-20030616-p5) > I do not care about the second section of the test virus web page, since I do > not run OE. I do have OE clients, but they run their own Windows anti-virus > package. I also have OE clients (and MS Outlook Clients, which I believe also are vulnerable to the second section), and they use desktop AV as well. However, I'd like these to be caught by defense-in-depth. I haven't had time to research the "bugs" that testvirus/webmail.us says "MUST BE CAUGHT!" (emphasis added) by a mailserver, but I'll be tracking them down with amavisd-new experts as well. I mean, hey, if there's a pattern/signature to these threats, _something_ I'm using should catch it. --Seth --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: More tests from www.testvirus.org
On Wed, 7 Jan 2004 12:28:33 -0500 "Hanford, Seth" <[EMAIL PROTECTED]> wrote: > > Nbr 5) EICAR virus sent using BinHex encoding > > This was also missed on my ClamAV 0.65 running as clamd, however it was > picked up by Amavisd-new for its extension. > (Running ClamAV 0.65, Postfix 2.0.13, Amavisd-new-20030616-p5) > I am using the latest sendmail with clamd and clamav-milter. So, in my case, it may work properly if I use mimedefang to run clamd. I have mimedefang installed, but had turned off until I could do further testing. Thanks, Alex --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: More tests from www.testvirus.org
> > > Nbr 5) EICAR virus sent using BinHex encoding > > > > This was also missed on my ClamAV 0.65 running as clamd, however it was > > picked up by Amavisd-new for its extension. > > (Running ClamAV 0.65, Postfix 2.0.13, Amavisd-new-20030616-p5) > > > > I am using the latest sendmail with clamd and clamav-milter. So, in my case, it > may work properly if I use mimedefang to run clamd. I have mimedefang > installed, but had turned off until I could do further testing. Let me correct myself. BinHex was NOT caught by Amavis OR ClamAV. The Outlook 'Space Gap' was the one not caught by ClamAV, but was caught by Amavis. This e-mail DOES contain eicar.com in Base64 encoding, but is hidden. --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: More tests from www.testvirus.org
On Wed, 07 Jan 2004 at 9:13:22 -0600, Alex S Moore wrote: > On my Solaris 9 SPARC mailhost with clamav installed and using my Solaris 9 > SPARC workstation with SylpheedClaws, I tested with the top section of the html > page from www.testvirus.org. The virus signature file is updated twice a day. > > I used the released 0.65 version, which I built on 2003-12-04, and then built > and installed the devel-20040107 version. Both programs had the same results. > Most virus email was caught. There were three that passed the check on both > versions. They are: > > Nbr 4) EICAR virus sent using uuencoding > Nbr 5) EICAR virus sent using BinHex encoding > Nbr 4) EICAR virus sent using BinHex encoding within a MIME segment. > > Should I be concerned about the three tests that got through? > In case someone is interested, I'm including here test results of a set: Postfix + Amavisd-new (20030616p5-6) + ClamAV (0.60+BugFixesFromCVS-20030916). >From the 1st group of tests on www.antivirus.org, only 1 of 15 test messages was let through: Nr 8. "Eicar virus sent using BinHex encoding within a MIME segment". >From the 2nd group of tests (important only for M$ Outlook), 5 of 7 test messages were let through: Nr 2. "Outlook 'Space Gap' vulnerability (includes Eicar virus as hidden attachment)", Nr 3. "Outlook 'Blank Folding' Vulnerability (does not include Eicar virus"), Nr 4. "Outlook 'Boundary Space Gap' Vulnerability (does not include Eicar virus)", Nr 5. "Outlook 'Long Boundary' Vulnerability (does not include Eicar virus)", Nr 7. "A file with a CLSID extension which may hide the real file extension (does not include Eicar virus)". > I do not care about the second section of the test virus web page, since I do > not run OE. I do have OE clients, but they run their own Windows anti-virus > package. And it hardly seems to be an AV scanner job to care for these special tricks which can fool Outlook. Especially because only 2 of 7 tests from the second group contain Eicar. How could ClamAV detect messages which don't contain any virus string, but only have some special structure? It can be a MTA job, not an AV scanner's one. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] RE: More tests from www.testvirus.org
On Thu, Jan 08, 2004 at 01:38:37AM +0100, Tomasz Papszun wrote: > > In case someone is interested, I'm including here test results of > a set: > Postfix + Amavisd-new (20030616p5-6) + ClamAV (0.60+BugFixesFromCVS-20030916). > > >From the 1st group of tests on www.antivirus.org, only 1 of 15 test > messages was let through: > > Nr 8. "Eicar virus sent using BinHex encoding within a MIME segment". > My amavisd-new doesn't seem to decode BinHex encoded attachments. Maybe you should take this up with the amavis-users list. Although the real problem may be that my file-4.07 program identifies the binhex encoded file as "Emacs v18 byte-compiled Lisp data" > > >From the 2nd group of tests (important only for M$ Outlook), 5 of 7 > test messages were let through: > > Nr 2. "Outlook 'Space Gap' vulnerability (includes Eicar virus as hidden >attachment)", > The 'Space Gap' test contains a base-64 encoded attachment named eicar.com, but it doesn't seem to actually be the eicar test file when it's decoded. I wouldn't expect any scanner to catch it. > Nr 3. "Outlook 'Blank Folding' Vulnerability (does not include Eicar >virus"), > > Nr 4. "Outlook 'Boundary Space Gap' Vulnerability (does not include >Eicar virus)", > > Nr 5. "Outlook 'Long Boundary' Vulnerability (does not include Eicar >virus)", > > Nr 7. "A file with a CLSID extension which may hide the real file >extension (does not include Eicar virus)". I'm not sure these are exploits we need to be concerned about, but they can probably be blocked with postfix 2.x mime_header_checks. -- Noel Jones --- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
