[Mimedefang] ClamAV and related issues running under MD. was: Re: Mimedefang timeout
Jon R. Kibler
Jon.Kibler at aset.com
Thu Feb 12 16:08:36 EST 2004
"David F. Skoll" wrote:
>
> On Thu, 12 Feb 2004, Shawn Button wrote:
>
> > If uvscan is problematic can anyone suggest a good, solid antivirus that will
> > run on RH Ent 3?
>
> ClamAV. http://www.clamav.net/ It's free!
>
> See also http://www.securityfocus.com/archive/1/353379/2004-02-09/2004-02-15/2
>
(Note: Some of these issues were discussed in my previous posting on ClamAV vs. uvscan.
However, I would like to rephrase my original questions and try to get a better understanding
of what all the issues involved are.)
First, I agree that ClamAV is very fast about getting out sigs. However, under MD, the ClamAV
sigs often do not catch attachments that are base64 encoded -- usually meaning bounced viruses.
We also run uvscan (under Solaris) as a second AV scanner and it catches these that ClamAV
misses.
The biggest issue I have is, when you submit a virus sample that is base64 encoded, and say that
ClamAV under MD missed it, ClamAV's response is 'duplicate sample - clamd under AMaViSD-new
detects XXX virus/worm'.
So, this brings up a few questions:
1) What is AMaViSD-new doing that MD isn't. (We abandoned AMaViSD a couple of years back and
I really don't want to even have to consider that as an option to solve this problem!)
2) Isn't it relatively easily to decode a base64 attachment? What are the issues with doing so?
3) Is it possible to create a signature for a base64 encoded attachment? If so, do AV companies
usually provide base64 sigs for each new virus/worm? If not, why not? Or, is this just an
issue where ClamAV is not providing such signature?
I guess the bottom line issue is why does running ClamAV under AMaViSD-new catch things that MD
does not, and should this be considered a MD problem, a ClamAV problem, or both?
Thanks!
Jon
--
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC USA
(843) 849-8214
==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.
More information about the MIMEDefang
mailing list