RE: [Nolug] Mimedefang not stopping new virus

From: J. Kent Busbee, Jr. <buz_at_penwel.com>
Date: Wed, 4 Feb 2004 09:41:30 -0600
Message-ID: <001001c3eb35$5c425170$3204a8c0@penwel.com>

> > We are having a problem where clamav is missing MyDoom viruses that
> > uvscan catches. It seems that clamav is missing about 1/3 to 1/2 of
> > the MyDooms we are seeing. (The only MyDooms we are getting are
> > bounces to bogus email addresses.)
>
> The problem is probably that the bounces include the infected
> file(s) as base64 encoded. MD and clamav don't base64 decode
> it, but uvscan does. So, either be happy that something in
> your arsenal does catch it, or add base64 decoding to your MD
> filter, which will probably be a big hairy mess. (maybe
> quarantine messages with base64 in them for later review?)
>
> clamav should be able to detect these in the future. There
> has been talk with the author of ripmime to link clamav with
> his library. This may be available to some degree in
> post-0.65 snapshots but I haven't tried any yet.

OK... so clamav does NOT work in all cases. That's NOT GOOD. I'm not
sure I understand WHY it does not work. Base64, what is that, some sort
of email compression/mime format?

Here is the weird part to me. If I scan the zipped virus file,
clamdscan FINDS it. But if I email that same file to myself using
Outlook, it gets through; no warnings, no errors. So, is my
mimedefang/clamav not setup right, or is this a useless virus protection
setup.

Is there another open source virus protection solution that I should
consider?

___________________
Nolug mailing list
nolug@nolug.org
Received on 02/04/04

This archive was generated by hypermail 2.2.0 : 12/19/08 EST