Mailing List Archive

How to test ClamAV
in Linux Fedora Core 4, i am install qmail-1.03 + qmail-scanner-2.01 +
Clamav-0.90rc2 + Mail-SpamAsssassin-3.1.7.
How i can make sure that Clamav is running well in my qmail server ?
i try in server /etc/init.d/clamd status
it show "Clamd is running"
but why i can receive e-mail contains virus ?

any one know this problem, please advice me..
thank you.
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: How to test ClamAV [ In reply to ]
raja semut spake thusly on Thu, Nov 09, 2006 at 01:15:44PM +0700:
> in Linux Fedora Core 4, i am install qmail-1.03 + qmail-scanner-2.01 +
> Clamav-0.90rc2 + Mail-SpamAsssassin-3.1.7.
> How i can make sure that Clamav is running well in my qmail server ?
> i try in server /etc/init.d/clamd status
> it show "Clamd is running"
> but why i can receive e-mail contains virus ?
>
> any one know this problem, please advice me..
> thank you.

--- end quoted text ---

You mentioned that you are using qmail-scanner. Make sure to read the documentation for that package. You need to make sure you have the proper configuration.

--
Regards,
Richard
Did this email or post help you? If so, please rate
me at affero: http://rate.affero.net/RhunDraco
Re: How to test ClamAV [ In reply to ]
Alex Davidson wrote:
> I am running ClamAV tying into ASSP on Debian 4.
>
> To test ClamAV I have tried using
> http://www.aleph-tec.com/eicar/index.php to send myself EICAR test
> virus strings but firstly only 3 of the 7 tests hit my mail server,
> and secondly ClamAV doesn't detect anything, yet the next-level AV
> detects it just fine.
>


What is being logged by the ClamAV software?

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Alex Davidson wrote:

>send myself EICAR test
>virus strings but firstly only 3 of the 7 tests hit my mail server,
>and secondly ClamAV doesn't detect anything, yet the next-level AV
>detects it just fine.

I tried to send the 7 tests to my main address... only 3 arrived

(the clean one - and 2 of the password protected one)

My ISP probably filtered out the others.

I can't see ClamAV detecting these two... as it doesn't know the password to decide the insides)

eicarpasswd.zip (new! - zip compressed eicar.com with password)
eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

You could add a signature to detect the above.. but it would ONLY work with the above EICAR test and the SAME password.

Cheers,

Steve
Sanesecurity


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Steve Basford wrote:
>
> Alex Davidson wrote:
>
>> send myself EICAR test
>> virus strings but firstly only 3 of the 7 tests hit my mail server,
>> and secondly ClamAV doesn't detect anything, yet the next-level AV
>> detects it just fine.
>
> I tried to send the 7 tests to my main address... only 3 arrived
>
> (the clean one - and 2 of the password protected one)

I received the same thing.


>
> My ISP probably filtered out the others.

My ISP does no filtering; either the test messages were
blocked at the source (ISP/webhost egress filtering) or they
were never sent.

As for the encrypted files, nothing can check inside an
encrypted zip, but they can be blocked based on a file name
inside the zip, or clamd can mark all encrypted zips by
setting "ArchiveBlockEncrypted yes" in clamd.conf

At any rate, this test appears useless. Find another one.

--
Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Interesting...if I create a plain text email with the eicar text in
it, ClamAV detects it successfully.

Can anyone suggest another way to send myself a
non-password-protected/encrypted attachment that ClamAV might have a
chance at detecting?
It's either that or disable my workstation AV and server AV to send
one out and back in that way - kind of a pain.

Thanks!

On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones <njones@megan.vbhcs.org> wrote:
> Steve Basford wrote:
>>
>> Alex Davidson wrote:
>>
>>> send myself EICAR test
>>> virus strings but firstly only 3 of the 7 tests hit my mail server,
>>> and secondly ClamAV doesn't detect anything, yet the next-level AV
>>> detects it just fine.
>>
>> I tried to send the 7 tests to my main address... only 3 arrived
>>
>> (the clean one - and 2 of the password protected one)
>
> I received the same thing.
>
>
>>
>> My ISP probably filtered out the others.
>
> My ISP does no filtering; either the test messages were
> blocked at the source (ISP/webhost egress filtering) or they
> were never sent.
>
> As for the encrypted files, nothing can check inside an
> encrypted zip, but they can be blocked based on a file name
> inside the zip, or clamd can mark all encrypted zips by
> setting "ArchiveBlockEncrypted yes" in clamd.conf
>
> At any rate, this test appears useless. Find another one.
>
> --
> Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
You'll need to find a nastie that your local/server AV don't detect, but
ClamAV does. Or make an exception for a file extention... rename eicar.txt
to eicar.z43 (something random) and make sure your server and local av will
ignore that file extention.

On Fri, Feb 6, 2009 at 10:45 AM, Alex Davidson <davidson.alex@gmail.com>wrote:

> Interesting...if I create a plain text email with the eicar text in
> it, ClamAV detects it successfully.
>
> Can anyone suggest another way to send myself a
> non-password-protected/encrypted attachment that ClamAV might have a
> chance at detecting?
> It's either that or disable my workstation AV and server AV to send
> one out and back in that way - kind of a pain.
>
> Thanks!
>
> On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones <njones@megan.vbhcs.org> wrote:
> > Steve Basford wrote:
> >>
> >> Alex Davidson wrote:
> >>
> >>> send myself EICAR test
> >>> virus strings but firstly only 3 of the 7 tests hit my mail server,
> >>> and secondly ClamAV doesn't detect anything, yet the next-level AV
> >>> detects it just fine.
> >>
> >> I tried to send the 7 tests to my main address... only 3 arrived
> >>
> >> (the clean one - and 2 of the password protected one)
> >
> > I received the same thing.
> >
> >
> >>
> >> My ISP probably filtered out the others.
> >
> > My ISP does no filtering; either the test messages were
> > blocked at the source (ISP/webhost egress filtering) or they
> > were never sent.
> >
> > As for the encrypted files, nothing can check inside an
> > encrypted zip, but they can be blocked based on a file name
> > inside the zip, or clamd can mark all encrypted zips by
> > setting "ArchiveBlockEncrypted yes" in clamd.conf
> >
> > At any rate, this test appears useless. Find another one.
> >
> > --
> > Noel Jones
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
>



--
-Xinn.org
Security, and Sanity Solutions
The makers of ClearSite NMS.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Hello Alex, I don't have a definitive test either. I have recently installed ClamAV on my gateway/router/firewall/smtp Linux box. I tried the canned test as suggested in the ClamAV doco but I could not see anything definitive. I agree that a real email from the <outside> would be a definitive test. Since ClamAV is running on a Linux box a Windows virus in an email attachment would be the best test without actually exposing the Linux box to compromise. I must admit that I would be reluctant to do this myself as the reason I installed ClamAV is I recently rid my local Windows boxes of a vicious browser hijack trojan. The source of this trojan was in all-likelihood not from email but from a link embedded in a normal html page. BTW: what is the EICAR test I will try this myself. Regards, :-), David.

Alex Davidson wrote ..
> Interesting...if I create a plain text email with the eicar text in
> it, ClamAV detects it successfully.
>
> Can anyone suggest another way to send myself a
> non-password-protected/encrypted attachment that ClamAV might have a
> chance at detecting?
> It's either that or disable my workstation AV and server AV to send
> one out and back in that way - kind of a pain.
>
> Thanks!
>
> On Fri, Feb 6, 2009 at 7:51 AM, Noel Jones <njones@megan.vbhcs.org> wrote:
> > Steve Basford wrote:
> >>
> >> Alex Davidson wrote:
> >>
> >>> send myself EICAR test
> >>> virus strings but firstly only 3 of the 7 tests hit my mail server,
> >>> and secondly ClamAV doesn't detect anything, yet the next-level AV
> >>> detects it just fine.
> >>
> >> I tried to send the 7 tests to my main address... only 3 arrived
> >>
> >> (the clean one - and 2 of the password protected one)
> >
> > I received the same thing.
> >
> >
> >>
> >> My ISP probably filtered out the others.
> >
> > My ISP does no filtering; either the test messages were
> > blocked at the source (ISP/webhost egress filtering) or they
> > were never sent.
> >
> > As for the encrypted files, nothing can check inside an
> > encrypted zip, but they can be blocked based on a file name
> > inside the zip, or clamd can mark all encrypted zips by
> > setting "ArchiveBlockEncrypted yes" in clamd.conf
> >
> > At any rate, this test appears useless. Find another one.
> >
> > --
> > Noel Jones
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Andy wrote:
> You'll need to find a nastie that your local/server AV don't detect, but
> ClamAV does. Or make an exception for a file extention... rename eicar.txt
> to eicar.z43 (something random) and make sure your server and local av will
> ignore that file extention.
>

It's not that difficult if you've properly set up the system to check
for outgoing viruses as well as incoming viruses. You need only send a
sample virus to a friend or test address. ClamAV doesn't care which way
the bug is going - it should reject it before it leaves the building.

Checking for outgoing viruses does seem to be an alien concept for some
mail admins, though.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Alex Davidson wrote:
> Interesting...if I create a plain text email with the eicar text in
> it, ClamAV detects it successfully.
>
> Can anyone suggest another way to send myself a
> non-password-protected/encrypted attachment that ClamAV might have a
> chance at detecting?

There is a test tool at http://tools.declude.com/ under the
"Virus Test" heading.
There are a bizillioin options for sending the virus. The
only tests that really count are the "Plain base64 MIME
encoded" and "Zip file". Clam should detect those. The rest
appear to be mostly marketing fluff; don't be too concerned if
clam doesn't detect them.


--
Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
Re: How to test ClamAV [ In reply to ]
Hello Noel, yep it worked. The eicar message was found but not before a user with enough time to open the mail message and the attachement. And, it is difficult to tell exactly which message is the culprit because all I see from the CRON log email is:

/Maildir/cur/1233939406.Vfd00I270080M968444.davidwbrown.name:2,S: Eicar-Test-Signature FOUND

And, the gadgetry set-up to automatically send email to users with FOUND signatures did not trigger.

I suppose I need to run ClamAV as daemon and ditch the CRON job.

Thanks, David.


Noel Jones wrote ..
> Alex Davidson wrote:
> > Interesting...if I create a plain text email with the eicar text in
> > it, ClamAV detects it successfully.
> >
> > Can anyone suggest another way to send myself a
> > non-password-protected/encrypted attachment that ClamAV might have a
> > chance at detecting?
>
> There is a test tool at http://tools.declude.com/ under the
> "Virus Test" heading.
> There are a bizillioin options for sending the virus. The
> only tests that really count are the "Plain base64 MIME
> encoded" and "Zip file". Clam should detect those. The rest
> appear to be mostly marketing fluff; don't be too concerned if
> clam doesn't detect them.
>
>
> --
> Noel Jones
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml