[Mimedefang] MD 2.43 - Missing Viruses

Albert Whale aewhale at ABS-CompTech.com
Mon May 31 12:08:05 EDT 2004 


David F. Skoll wrote:

>On Mon, 31 May 2004, Albert Whale wrote:
>  
>
>>My original testing included both clamd and clamscan configurations in MD.
>>    
>>
>
>Did you run Clam on the actual MIMEDefang spool directory, or on a copy
>of the message in the quarantine?
>
>  
>
Ok, well I don't have the original Quarantine file, so I did the next 
best thing, and that was to rerun the message (from several different 
servers/domains).  While they all detected SPAM, none detected the 
virus.  Seriously, I did the testing every way I could think (thanks for 
the offsite testing offers).

In reviewing the clamd.log log, I noticed that all of the detections had 
three (3) entries in the logs.  I was able to track this message to the 
entry in the /var/log/clamd.log file.  Unfortunately, this entry is a 
SINGLE  entry:

Sat May 29 01:20:59 2004 -> 
/var/spool/MIMEDefang/mdefang-i4T5Kvvp010138/Work/INPUTMBOX: 
Worm.SomeFool.P FOUND

The mdefang-i4T5Kvvp010138 matches the header in the message: 
by ns.ABS-CompTech.com (8.12.10/8.12.10) with ESMTP id i4T5Kvvp010138
        for <blocklisted at abs-comptech.com>; Sat, 29 May 2004 01:20:58 -0400

As I indicated, the previous entries all had three lines:

Fri May 28 22:23:02 2004 -> 
/var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: 
Worm.Bagle.P FOUND
Fri May 28 22:23:02 2004 -> 
/var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: 
Worm.Bagle.P FOUND
Fri May 28 22:23:02 2004 -> 
/var/spool/MIMEDefang/mdefang-i4T2Mvvq000469/Work/msg-16237-189.pif: 
Worm.Bagle.P FOUND


It would appear that clamd DID identify the Virus correctly.  However, 
there is only one line entry in the logfile, while all of the other 
detections include three?

I'm confused.  Any NEW or Fresh Ideas?


-- 

Albert E. Whale, CISSP - Sr. Security, Network, and Systems Consultant
--------------------------------------------------------------------------------
http://www.abs-comptech.com & http://www.No-JunkMail.com 
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
SPAM Zapper - www.No-JunkMail.com - SPAM Stops Here.
Founding Board of Directors of Pittsburgh FBI - InfraGard

More information about the MIMEDefang mailing list