From stock@stokkie.net Fri May 25 07:12:38 2007 +0200
Date: Fri, 25 May 2007 07:12:38 +0200 (CEST)
From: "Robert M. Stockmann"
To: clamav-users@lists.clamav.net
Subject: ClamAV 0.90.2 with old perl-les amavis-0.2.4
Message-ID:
MIME-Version: 1.0
Hi,
If you are running some old mailserver (RedHat 6.2 or 7.3 on a P3
500MHz), you might wanna look at amavis-0.2.4.tar.gz at
http://crashrecovery.org/amavis/ or
ftp://ftp.crashrecovery.org/pub/linux/amavis/
(the old fast one, without perl) which now also automaticly selects and
configures to use ClamAV 0.90.2 if installed.
Recently we found out that McAfee's command-line AV scanner uvscan
version 4.x cannot be used anymore as the scan.dat file has been
changed in format. The reader is advised to upgrade to version 5.x to
be able to continue to run amavis-0.2.x.
However with the release of amavis-0.2.4 one can drop uvscan in favor
for ClamAV 0.90.2 (clamdscan) AntiVirus scanner, a opensource and 100%
free package. Make sure to only run clamdscan by querying throught
clamd. Running clamscan barebones and standalone is a broken option
IMHO. When correctly used and configured clamav even hits the bricks of
the road on your old mailservers...
# clamdscan virus-20070423-3662M
/var/virusmails/root/virus-20070423-3662: Worm.Stration.pac-1 FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.842 sec (0 m 0 s) (on a PIII 500MHz, 128Mb RAM RedHat 6.2
machine )
For more details see INSTALL.ClamAV or for (S)RPMS see
http://crashrecovery.org/amavis/clamav/
Robert
--
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org stock@stokkie.net
In order for the nasty dudes to get their dangerous Worms and Binaries
onto the User's Desktop, one must create a clean splotless message
which slips through any spam filter. Here's an example Virus Found
email to the admin using amavis-0.2.4 and clamav-0.90.2-3 :
From anonymous@stokkie.net Fri May 25 04:53:58 2007
Return-Path:
Delivered-To: stock@stokkie.net
Received: (qmail 8774 invoked by alias); 25 May 2007 04:53:58 -0000
Delivered-To: virusalert@stokkie.net
Received: (qmail 8691 invoked by alias); 25 May 2007 04:53:58 -0000
Date: 25 May 2007 04:53:58 -0000
Message-ID: <20070525045358.8690.qmail@stokkie.net>
From: postmaster@stokkie.net
To: virusalert@stokkie.net
Subject: FOUND VIRUS IN MAIL from jmr@crashrecovery.org to jmr@crashrecovery.org
X-AntiVirus: scanned for viruses by AMaViS 0.2.4 (ftp://crashrecovery.org/pub/linux/amavis/)
X-AntiVirus: scanned for viruses by AMaViS 0.2.4 (ftp://crashrecovery.org/pub/linux/amavis/)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri May 25 06:54:00 2007
X-DSPAM-Confidence: 0.9997
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 46566be888621804284693
X-DSPAM-Factors: 27,
Delivered-To*virusalert, 0.00010,
0+ClamAV, 0.00010,
0+F, 0.00010,
scanstatus0, 0.00010,
rw+1, 0.00010,
rw+1, 0.00010,
dot+forward, 0.00010,
dot+forward, 0.00010,
old+scanstatus2, 0.00010,
To*virusalert+stokkie, 0.00010,
preline, 0.00010,
preline, 0.00010,
scanstatus2, 0.00010,
Scan+4, 0.00010,
xxxxxxxxxxxxxxxxxxFri+May, 0.00010,
Sweep, 0.00010,
CyberSoft, 0.00010,
inocucmd, 0.00010,
KasperskyLab, 0.00010,
KasperskyLab, 0.00010,
clamdscan, 0.00010,
KasperskyLab+AVPDaemonClient, 0.00010,
Subject*FOUND+VIRUS, 0.00010,
SFX, 0.00010,
SFX, 0.00010,
0+Sophos, 0.00010,
forward+forward, 0.00010
Status: RO
X-Status:
X-Keywords:
The attached mail has been found to contain a virus
Originally bin/qmail-local -- alias /var/qmail/alias jmr -
jmr crashrecovery.org jmr@crashrecovery.org |dot-forward .forward
|preline procmail
The mail has been stored as /var/virusmails/alias/virus-20070525-8394
xxxxxxxxxxxxxxxxxxFri May 25 06:53:56 CEST 2007xxxxxxxxxxxxxxxxxxxxxxx
qmail-local (0.2.4) called -- alias /var/qmail/alias jmr -
jmr crashrecovery.org jmr@crashrecovery.org |dot-forward .forward
|preline procmail
FROM: jmr@crashrecovery.org
TO: jmr@crashrecovery.org
maxlevel: 0
Unziping new_price25-May-2007.zip
Unziping new_price25-May-2007.zip.1
maxlevel: 1
Contents of /var/tmp/qmail-local8394/unpacked
/var/tmp/qmail-local8394/unpacked:
total 100
drwx------ 3 alias nofiles 4096 May 25 06:53 .
drwx------ 3 alias nofiles 4096 May 25 06:53 ..
drwx------ 2 alias nofiles 4096 May 25 06:53 SFX
-rw------- 1 alias nofiles 37 May 25 06:53 mm.JE2lUN
-rw------- 1 alias nofiles 36 May 25 06:53 new_price25-May-2007.zip.desc
-rw------- 1 alias nofiles 40565 Sep 25 2004 y8481.0.exe
-rw------- 1 alias nofiles 40565 Sep 25 2004 y8498.0.exe
/var/tmp/qmail-local8394/unpacked/SFX:
total 8
drwx------ 2 alias nofiles 4096 May 25 06:53 .
drwx------ 3 alias nofiles 4096 May 25 06:53 ..
/var/tmp/qmail-local8394/unpacked/SFX: OK
/var/tmp/qmail-local8394/unpacked/mm.JE2lUN: OK
/var/tmp/qmail-local8394/unpacked/new_price25-May-2007.zip.desc: OK
/var/tmp/qmail-local8394/unpacked/y8481.0.exe: Worm.Bagle.GV FOUND
/var/tmp/qmail-local8394/unpacked/y8498.0.exe: Worm.Bagle.GV FOUND
----------- SCAN SUMMARY -----------
Infected files: 2
Time: 0.078 sec (0 m 0 s)
H+BEDV AntiVir scanstatus0 is: 0
Mcafee scanstatus1 is: 0
Dr. Solomon (old) scanstatus2 is: 0
Dr. Solomon (new) scanstatus3 is: 0
Sophos Sweep scanstatus4 is: 0
NAI Virus Scan 4.x scanstatus5 is: 0
KasperskyLab AVP scanstatus6 is: 0
KasperskyLab AVPDaemonClient scantatus7 is: 0
F-Secure Antivirus scanstatus8 is: 0
Trend Micro FileScanner scanstatus9 is: 0
CyberSoft vfind scanstatus10 is: 0
CAI InoculateIT (inocucmd) scanstatus11 is: 0
ClamAV 0.90.2 (clamdscan) scanstatus12 is: 1
Virus FOUND Sent notification to virusalert
!DSPAM:46566be888621804284693!