[Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefang timeout

Jon R. Kibler Jon.Kibler at aset.com
Thu Feb 12 16:08:36 EST 2004 

"David F. Skoll" wrote:
> 
> On Thu, 12 Feb 2004, Shawn Button wrote:
> 
> > If uvscan is problematic can anyone suggest a good, solid antivirus that will
> > run on RH Ent 3?
> 
> ClamAV.  http://www.clamav.net/  It's free!
> 
> See also http://www.securityfocus.com/archive/1/353379/2004-02-09/2004-02-15/2
> 

(Note: Some of these issues were discussed in my previous posting on ClamAV vs. uvscan. 
However, I would like to rephrase my original questions and try to get a better understanding 
of what all the issues involved are.)

First, I agree that ClamAV is very fast about getting out sigs. However, under MD, the ClamAV 
sigs often do not catch attachments that are base64 encoded -- usually meaning bounced viruses. 
We also run uvscan (under Solaris) as a second AV scanner and it catches these that ClamAV 
misses. 

The biggest issue I have is, when you submit a virus sample that is base64 encoded, and say that 
ClamAV under MD missed it, ClamAV's response is 'duplicate sample - clamd under AMaViSD-new 
detects XXX virus/worm'.

So, this brings up a few questions:
  1) What is AMaViSD-new doing that MD isn't. (We abandoned AMaViSD a couple of years back and
     I really don't want to even have to consider that as an option to solve this problem!)

  2) Isn't it relatively easily to decode a base64 attachment? What are the issues with doing so?

  3) Is it possible to create a signature for a base64 encoded attachment? If so, do AV companies
     usually provide base64 sigs for each new virus/worm? If not, why not? Or, is this just an
     issue where ClamAV is not providing such signature?
   
I guess the bottom line issue is why does running ClamAV under AMaViSD-new catch things that MD
does not, and should this be considered a MD problem, a ClamAV problem, or both?

Thanks!
Jon
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

More information about the MIMEDefang mailing list