amavisd-new result is clean but clamav manual scan result is infected
Kenneth Oncinian
kenneth.oncinian at ph.panasonic.com
Fri Nov 18 08:10:54 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good afternoon.
This morning, I received the following e-mail:
- -- snip --
DHL Express Tracking Notification: Thu, 17 Nov 2011 09:26:55
+0800Custom. Reference: I7IDBNQ9G99908950273P. Tracking Number:
0433878424820VRWAPickup Date: Thu, 17 Nov 2011 09:26:55 +0800Service:
AIRPieces: 1
EVENT CATEGORYThu, 17 Nov 2011 09:26:55 +0800 - Clearance processing
completePLEASE REFER TO ATTACHED FILE FOR DETAILED INFORMATION.Shipment
status may also be obtained from our Internet site in USA under
http://track.dhl-usa.com or Globally under http://www.dhl.com/track
Please do not reply to this email. This is an automated application used
only for sending proactive notificationsThanks,DHL Express International.
- -- snip --
The e-mail has an attachment
"Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip"
I upload the attachment to clamav.net, and it was already detected as
Email.Trojan-268. So I thought my CLAMAV pattern is not updated, but it
was. And actually, scanning the file manually yields infected virus result:
#clamdscan DHL\ Express\ Notification\ for\ shipment\ \
84302695681014952HG5V.eml
/tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
Email.Trojan-268 FOUND
I have tried this several times and still, amavisd-new's result is CLEAN
while manual scan says infected. In fact the trendmicro engine I am
using side-by-side with amavisd just recently been updated and it's
detecting the virus as TSPY_ZBOT.HNF, and finally amavisd-new is
catching this as infected but only by the trendmicro scanner.
Here is the debug output: http://pastebin.com/f8DSt4qD
How is it possible that amavisd-new is resulting "clean" while manual
scan of CLAMAV is resulting "infected"?
Version of amavisd-new is amavisd-new-2.6.5 (20110407).
Clamav version is ClamAV 0.97.3/13962/Fri Nov 18 06:44:13 2011
thanks and best regards,
Kenneth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOxgT3AAoJENQ/v+Lg/51DU3QH/iu6OwC8gMVgD5HepVx/aCw5
vtQAfKLHhgCGCXX0EVdiEAf6zQ/Hbc8FcZOlUyn2K19vVTXOKpHtVurQ0jJkTCFW
uznOE+jCVxkj1jnOhcmOS+xC9IMvqvpZ2BHlJNbBuOU+CgJxJOyBo8FQbz/n1BFr
/D7sNdu2sx8CWNmbHMREoXmaB5zhBNFfvmoIU+dZJEb5wa17t/urk06zLzm992HF
XJ753hrZNZSxCNtYxvJeBVgaTcx8MyqGLfbNZ6MkmLB/p2q5OEiLA9QWKuASggPO
B724JDCTdCVMepQrBQY8Bz2FopWTa1dchwzbaF6dZUVpcCp7vUrNGGfwnCFsuQk=
=71pq
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xE0FF9D43.asc
Type: application/pgp-keys
Size: 1764 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20111118/4296d9a8/attachment.key>
More information about the amavis-users
mailing list