Mailing List Archive

To: Whomever posted a message containing the EICAR test string
Hi.

Somebody posted a message to this list today, containing the EICAR test
string.

I, as I suspect do a fair number of other people subscribed to the list, use
anti-virus software on my mail server, which upon detecting a virus in a
message deletes the offending section of the message, and simply sends me a
notification that I was sent something nasty.

In this case (it's my guess that the EICAR string was in the body, since it's
only plain ASCII characters and is therefore perfectly easy to do) it means I
have no idea what the body of the message was, since that's the bit that got
deleted by my anti-virus system.

I suggest that whoever posted it (assuming it was only a part of the posting,
and there might have been something else worthwhile in the message too)
re-posts, but without the full EICAR string (perhaps just use the word
"EICAR" to show where you wanted it to be?), and then many more of us may be
able to read the message and perhaps reply to it....

Regards,

Antony.

--

There are two possible outcomes.

If the result confirms the hypothesis, then you've made a measurement.
If the result is contrary to the hypothesis, then you've made a discovery.

- Enrico Fermi
Re: To: Whomever posted a message containing the EICAR test string [ In reply to ]
On Thu, 14 Aug 2003 at 19:31:50 +0100, Antony Stone wrote:
>
> Somebody posted a message to this list today, containing the EICAR test
> string.

That's right.

> I, as I suspect do a fair number of other people subscribed to the list, use
> anti-virus software on my mail server, which upon detecting a virus in a
> message deletes the offending section of the message, and simply sends me a
> notification that I was sent something nasty.
>
> In this case (it's my guess that the EICAR string was in the body, since it's
> only plain ASCII characters and is therefore perfectly easy to do) it means I
> have no idea what the body of the message was, since that's the bit that got
> deleted by my anti-virus system.

Does not your anti-virus system quarantine infected messages? Mine does.

> I suggest that whoever posted it (assuming it was only a part of the posting,
> and there might have been something else worthwhile in the message too)
> re-posts, but without the full EICAR string (perhaps just use the word
> "EICAR" to show where you wanted it to be?), and then many more of us may be
> able to read the message and perhaps reply to it....
>

OK, as you asked for it, I'm including (below my signature) that
"infected" message (without EICAR string of course).

--
Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only
tomek@lodz.tpsa.pl http://www.lodz.tpsa.pl/ | ones and zeros.


Return-Path: <clamav-devel-admin@lists.sourceforge.net>
From: Bennett Todd <bet@rahul.net>
To: clamav-devel@lists.sourceforge.net
Message-ID: <20030814171220.GB16117@rahul.net>
Subject: [Clamav-devel] recognizing pats within text bodies?
Date: Thu, 14 Aug 2003 13:12:20 -0400

For funsies, I decided to play around with adding Eicar to my .sig.

I was unsurprised that clamscan nailed it. I was surprised to find
that Trend didn't, it allowed it through; apparently it doesn't flag
Eicar within a normal text body, only as a separate file or
attachment.

Is this business of flagging on Eicar within a text body intrinsic
to clamav, or is it a defect of the way I'm currently playing with
it?

My current setup ends up using clamscan; it does it from this
wrapper, which I've nicknamed clamit:

#!/bin/sh

die(){ echo "$0: $*">&2; exit 1; }
tmp=/tmp/`basename $0`.$$
trap "rm -rf $tmp" 0 1 2 3
mkdir $tmp || die "mkdir $tmp failed"
cd $tmp
cat >full-message.mbox
mkdir unpack
cd unpack
uudeview -i -a -m -f -t -d -s -q -n - <../full-message.mbox
cd ..
clamscan --quiet -r .
exit $?

which in turn is called using this clause in my .procmailrc:

:0HB
* ! ? clamit
clamav/

One might reasonably ask, why am I bothering with A/V, since I run
entirely on Unix and don't run susceptible MUAs; I added clamav to
my screening to help assist bogofilter, in this age of email worms.

-Bennett
[eicar string was here - T. P. ] EICAR-STANDARD-ANTIVIRUS-TEST-FILE [...]
Re: To: Whomever posted a message containing the EICAR test string [ In reply to ]
On Thursday 14 August 2003 8:21 pm, Tomasz Papszun wrote:

> Does not your anti-virus system quarantine infected messages? Mine does.

No. It's possible to set it to do so, bu t there are difficulties under UK
law with quarantining messages artibrarily, and then allowing system
administrators possibly to see the contents, so the mail servers we use do
not provide for the original content on the message to be stored.

Not the way I would like to turn things, but until this country gets its
ideas about the Regulation of Investigatory Powers Act sorted out, I don't
want someone else deciding I've been intercepting communications in a way
that I shouldn't have...

Regards,

Antony.

--

Documentation is like sex:
when it's good, it's very very good;
when it's bad, it's still better than nothing.