Eicar Testing

Michael D. Wood mike at itsecuritypros.org
Fri Sep 7 12:46:55 CEST 2012 

Awesome!  Thanks for letting me know.

 

--

Michael D. Wood

ITSecurityPros.org

www.itsecuritypros.org

 

From: Jayanta Ghosh [mailto:jayanta.ghosh at rp-sg.in] 
Sent: Friday, September 07, 2012 6:45 AM
To: Michael D. Wood
Subject: Re: Eicar Testing

 

Dear Michael,

 

Thank you for your response. I have uncommented the lines and now its working.

 

Regards,

Jayanta

 

 

 

From: Michael D. Wood <mailto:mike at itsecuritypros.org>  

Sent: Friday, September 07, 2012 3:40 PM

To: 'Jayanta Ghosh' <mailto:jayanta.ghosh at rp-sg.in>  

Subject: RE: Eicar Testing

 

I just looked at your amavisd.conf file…didn’t see it the first time J

 

Find this:

 

### http://www.clamav.net/

['ClamAV-clamd',

   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

   qr/\bOK$/m, qr/\bFOUND$/m,

   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

 

 

yours is commented out…uncomment it and see what you get.

 

--

Michael D. Wood

ITSecurityPros.org

www.itsecuritypros.org

 

From: amavis-users-bounces+mike=itsecuritypros.org at amavis.org [mailto:amavis-users-bounces+mike=itsecuritypros.org at amavis.org] On Behalf Of Michael D. Wood
Sent: Friday, September 07, 2012 6:01 AM
To: 'Jayanta Ghosh'; amavis-users at amavis.org
Subject: RE: Eicar Testing

 

I just tested with mine to see if it would detect it from the body of the e-mail and indeed it does.  This was done by placing the EICAR test string in the body of the e-mail.   My setup is pretty much the same except I’m using dovecot.

 

Things that are popping up in my head to check would be:

 

/etc/amavis/conf.d/15-content_filter_mode      ßmake sure amavis is set to use clamav and spamassasin (disabled by default)

 

/etc/amavis/conf.d/15-av_scanners  ßmake sure clamd is configured here, also check to make sure clamd is running

 

### http://www.clamav.net/

['ClamAV-clamd',

   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

   qr/\bOK$/m, qr/\bFOUND$/m,

   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],

 

Here is the e-mail alerting me that I had sent out the malicious e-mail:

VIRUS ALERT

 

Our content checker found

    virus: Eicar-Test-Signature

 

in email presumably from you <mike at itsecuritypros.org> to the following recipient:

-> xxxxxxxx at gmail.com

 

Our internal reference code for your message is 13692-11/mMgsaVaBvzxz

 

First upstream SMTP client IP address: [192.168.23.62] pfsense.xxxx.xxxx According to a 'Received:' trace, the message originated at: [192.168.23.62],

  michaellaptop pfsense.xxxxx.xxxxx [192.168.23.62] Authenticated sender:

  mike at itsecuritypros.org

 

Return-Path: <mike at itsecuritypros.org>

From: "Michael D. Wood" <mike at itsecuritypros.org>

Message-ID: <00dc01cd8cdd$ab298b20$017ca160$@itsecuritypros.org>

 

Delivery of the email was stopped!

 

Please check your system for viruses,

or ask your system administrator to do so.

 

--

Michael D. Wood

ITSecurityPros.org

www.itsecuritypros.org

 

From: amavis-users-bounces+mike=itsecuritypros.org at amavis.org [mailto:amavis-users-bounces+mike=itsecuritypros.org at amavis.org] On Behalf Of Jayanta Ghosh
Sent: Friday, September 07, 2012 5:36 AM
To: amavis-users at amavis.org
Subject: Eicar Testing

 

Dear List,

 

I have configured a mail server on RHEL 6.1(64 Bit) with the following components:-

1. Postfix

2. Courier-authlib

3. Courier-imap

4. MySql

5. Maildrop

6. Spamassassin

7. Clamav

8. Amavis-new

 

     The mail server is functioning properly. But I was testing the functionality of Amavis-new & Clamav. I was testing this by sending the EICAR string. The issue is when I am sending the EICAR string in the body of the email the Amavis is not detecting any virus pattern in it and eventually the email is passed by Amavis. But when I am sending the same EICAR string as an attachment (A text file containing the string ) then the Amavis is blocking the mail from getting delivered. 

 

My query is do I need to change any of the settings in the clamd.conf or amavisd.conf file, So that the EICAR string written in the body of the email will be blocked by amavis. I am also attaching both the configuration herein.

 

Kindly help.

 

Regards,

Jayanta

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/77c3c592/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6139 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/77c3c592/attachment.bin>

More information about the amavis-users mailing list