Eicar Testing

Michael D. Wood mike at itsecuritypros.org
Fri Sep 7 12:00:30 CEST 2012 

I just tested with mine to see if it would detect it from the body of the
e-mail and indeed it does.  This was done by placing the EICAR test string
in the body of the e-mail.   My setup is pretty much the same except I’m
using dovecot.

 

Things that are popping up in my head to check would be:

 

/etc/amavis/conf.d/15-content_filter_mode      ßmake sure amavis is set to
use clamav and spamassasin (disabled by default)

 

/etc/amavis/conf.d/15-av_scanners  ßmake sure clamd is configured here, also
check to make sure clamd is running

 

### http://www.clamav.net/

['ClamAV-clamd',

   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

   qr/\bOK$/m, qr/\bFOUND$/m,

   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

 

Here is the e-mail alerting me that I had sent out the malicious e-mail:

VIRUS ALERT

 

Our content checker found

    virus: Eicar-Test-Signature

 

in email presumably from you <mike at itsecuritypros.org> to the following
recipient:

-> xxxxxxxx at gmail.com

 

Our internal reference code for your message is 13692-11/mMgsaVaBvzxz

 

First upstream SMTP client IP address: [192.168.23.62] pfsense.xxxx.xxxx
According to a 'Received:' trace, the message originated at:
[192.168.23.62],

  michaellaptop pfsense.xxxxx.xxxxx [192.168.23.62] Authenticated sender:

  mike at itsecuritypros.org

 

Return-Path: <mike at itsecuritypros.org>

From: "Michael D. Wood" <mike at itsecuritypros.org>

Message-ID: <00dc01cd8cdd$ab298b20$017ca160$@itsecuritypros.org>

 

Delivery of the email was stopped!

 

Please check your system for viruses,

or ask your system administrator to do so.

 

--

Michael D. Wood

ITSecurityPros.org

www.itsecuritypros.org

 

From: amavis-users-bounces+mike=itsecuritypros.org at amavis.org
[mailto:amavis-users-bounces+mike=itsecuritypros.org at amavis.org] On Behalf
Of Jayanta Ghosh
Sent: Friday, September 07, 2012 5:36 AM
To: amavis-users at amavis.org
Subject: Eicar Testing

 

Dear List,

 

I have configured a mail server on RHEL 6.1(64 Bit) with the following
components:-

1. Postfix

2. Courier-authlib

3. Courier-imap

4. MySql

5. Maildrop

6. Spamassassin

7. Clamav

8. Amavis-new

 

     The mail server is functioning properly. But I was testing the
functionality of Amavis-new & Clamav. I was testing this by sending the
EICAR string. The issue is when I am sending the EICAR string in the body of
the email the Amavis is not detecting any virus pattern in it and eventually
the email is passed by Amavis. But when I am sending the same EICAR string
as an attachment (A text file containing the string ) then the Amavis is
blocking the mail from getting delivered. 

 

My query is do I need to change any of the settings in the clamd.conf or
amavisd.conf file, So that the EICAR string written in the body of the email
will be blocked by amavis. I am also attaching both the configuration
herein.

 

Kindly help.

 

Regards,

Jayanta

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/344ab181/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6139 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/344ab181/attachment.bin>

More information about the amavis-users mailing list