RE: [Nolug] Mimedefang not stopping new virus

From: Wimprine, Thomas <twimprine_at_stei.com>
Date: Tue, 3 Feb 2004 10:48:43 -0600
Message-ID: <7A727C65F1901E46BBFE6D9C4C5D82FC34BD36@lajeffeex02.stei.com>

>From the mimedefang mailing list, about why clamav doesn't stop it my uvscan
does.

On Sat, 31 Jan 2004, Jon R. Kibler wrote:

> We are having a problem where clamav is missing MyDoom viruses that
> uvscan catches. It seems that clamav is missing about 1/3 to 1/2 of
> the MyDooms we are seeing. (The only MyDooms we are getting are
> bounces to bogus email addresses.)

The problem is probably that the bounces include the infected file(s) as
base64 encoded. MD and clamav don't base64 decode it, but uvscan does. So,
either be happy that something in your arsenal does catch it, or add base64
decoding to your MD filter, which will probably be a big hairy mess. (maybe
quarantine messages with base64 in them for later review?)

clamav should be able to detect these in the future. There has been talk
with the author of ripmime to link clamav with his library. This may be
available to some degree in post-0.65 snapshots but I haven't tried any yet.

  Jason 

-- 
Jason Englander <jason@englanders.cc>
394F 7E02 C105 7268 777A  3F5A 0AC0 C618 0675 80CA
-----Original Message-----
From: J. Kent Busbee, Jr. [mailto:buz@penwel.com] 
Sent: Tuesday, February 03, 2004 10:09 AM
To: nolug@joeykelly.net
Subject: [Nolug] Mimedefang not stopping new virus
I have received the new MyDoom virus in email several times.  MimeDefang
is supposed to use the ClamAV scanner.  I have run clamscan on the
zipped file and it DOES detect it as a virus.  So, why does not
Mimedefang stop it?
I've set mimedefang and clamd to run as user defang:
root@pwweb /etc/mail/spamassassin# ps -auwx | grep defang
root     30234  0.0  0.9  1072  540  p0  S+    9:56AM   0:00.00 grep
defang
defang   10998  0.0  3.7 21544 2136  ??  Ss   Thu02PM   0:28.70
/usr/local/sbin/clamd
defang   26780  0.0  0.4  1820  208  ??  I    10:17AM   0:00.29
/usr/local/bin/mimedefang-multiplexor -p /var/spool/MIMEDefang/mime
defang   26782  0.0 27.4 24720 16132  ??  I    10:17AM   1:22.12
/usr/bin/perl -w /usr/local/bin/mimedefang.pl -server
defang   26792  0.0  0.9  1480  544  ??  S    10:17AM   0:05.87
/usr/local/bin/mimedefang -P /var/spool/MIMEDefang/mimedefang.pid -
defang   26794  0.0  1.4 21792  816  ??  I    10:17AM   0:03.91
/usr/bin/perl -w /usr/local/bin/mimedefang.pl -server
<snip /usr/local/clamav.conf>
# run compatible with MIMEDefang user
User defang
PidFile /var/spool/MIMEDefang/clamd.pid
LocalSocket /var/spool/MIMEDefang/clamd.sock
</snip>
And Permissions:
root@pwweb /var/spool/MIMEDefang# ls -al
total 10
drwx------   2 defang  defang  512 Feb  3 10:03 .
drwxr-xr-x  14 root    wheel   512 Oct 17 17:09 ..
-rw-rw-rw-   1 defang  defang    5 Jan 29 14:59 clamd.pid
srwxrwxrwx   1 defang  defang    0 Jan 29 14:59 clamd.sock
-rw-------   1 defang  defang    6 Feb  2 10:17
mimedefang-multiplexor.pid
srw-------   1 defang  defang    0 Feb  2 10:17
mimedefang-multiplexor.sock
-rw-------   1 defang  defang    6 Feb  2 10:17 mimedefang.pid
srwx------   1 defang  defang    0 Feb  2 10:17 mimedefang.sock
Versions:
root@pwweb /var/spool/MIMEDefang# clamd -V
clamd / ClamAV version 0.60
root@pwweb /var/spool/MIMEDefang# mimedefang -V
mimedefang: illegal option -- V
mimedefang version 2.39
root@pwweb /var/spool/MIMEDefang# uname -a
FreeBSD pwweb.penwel.com 4.8-RELEASE FreeBSD 4.8-RELEASE #0: Thu Apr  3
10:53:38 GMT 2003
root@freebsd-stable.sentex.ca:/usr/obj/usr/src/sys/GENERIC  i386
Any Suggestions?
___________________
Nolug mailing list
nolug@nolug.org
___________________
Nolug mailing list
nolug@nolug.org
Received on 02/03/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST