[Mimedefang] CLAMAV issues - Plexus.B flagged incorrectly?
Ole Craig
olc at cs.umass.edu
Thu Jul 1 10:24:07 EDT 2004
On 07/01/04 at 10:42, 'twas brillig and Paul Murphy scrobe:
> Hi,
>
> Today we received a copy of Worm.Plexus.B in an e-mail, which was
> picked up by Panda's desktop scanner in Outlook on a client machine.
> Alarmed that this had passed through MIMEDefang and also Panda's
> Exchange module, we investigated further. MIMEDefang had classified
> the message as clean, with a SPAM score of 5.06, and had passed it
> through. Clamav had however scanned the message and found the virus,
> as shown by the entries in the Clamav log file:
>
> Thu Jul 1 03:11:15 2004 ->
> /var/spool/MIMEDefang/mdefang-i612BEuP025346/Work/INPUTMSG: Worm.Plexus.B FOUND
[...]
>
> As you can see, $FoundVirus is set and $VirusName is also set correctly, but
> entity_contains_virus() (and thus entity_contains_virus_clamd) is returning a
> code of 0 and a category of "ok".
>
> This is running on Debian/Testing, MIMEDefang 2.41, Clamav 0.72
>
Just chiming in... MD 2.43/clamd 0.68 found a copy of plexus
and tagged it correctly, and MD did the appropriate thing and chucked
it back:
[root at xxx root] grep -i plexus /tmp/clamd.log
Wed Jun 30 00:03:31 2004 -> /var/spool/MIMEDefang/mdefang-i5U43SHO026105/Work/INPUTMBOX: Worm.Plexus.B FOUND
Wed Jun 30 00:03:31 2004 -> /var/spool/MIMEDefang/mdefang-i5U43SHO026105/Work/msg-22684-69.exe: Worm.Plexus.B FOUND
[root at xxx root] grep -i plexus /var/log/maillog | grep i5U43SHO026105
Jun 30 00:03:31 loki mimedefang.pl[22684]: MDLOG,i5U43SHO026105,virusbounce,Worm.Plexus.B,61.8.198.242,<irxe at msn.com>,<victim at cs.umass.edu>,My friend gave me this account generator for http://www.pantyola.com I wanna share it with you :) And please do not distribute it. It's private.
Jun 30 00:03:31 loki sendmail[26105]: i5U43SHO026105: Milter: data, reject=554 5.7.1 rejection: found virus Worm.Plexus.B
Jun 30 00:03:31 loki sendmail[26105]: i5U43SHO026105: to=<victim at cs.umass.edu>, delay=00:00:02, pri=85899, stat=rejection: found
virus Worm.Plexus.B
Have you changed mimedefang.pl at all? In looking at
entity_contains_virus_clamd, the only place I see $VirusName gets set
is within a very short block where the very next statement is the
return (1, 'virus', 'quarantine') so it's hard to figure out where you
could be getting the (0, 'ok', 'ok') from.
Ole
--
Ole Craig * UNIX, linux, SMTP-ninja; news, web; SGI martyr * CS Computing
Facility, UMass * <www.cs.umass.edu/~olc/pgppubkey.txt> for public key
Need a seasoned *NIX admin in the Denver/Boulder area? Hire me!
More information about the MIMEDefang
mailing list