ClamAV 0.90.2 with old perl-les amavis


From stock@stokkie.net Fri May 25 07:12:38 2007 +0200
Date: Fri, 25 May 2007 07:12:38 +0200 (CEST)
From: "Robert M. Stockmann" 
To: clamav-users@lists.clamav.net
Subject: ClamAV 0.90.2 with old perl-les amavis-0.2.4
Message-ID: 
MIME-Version: 1.0

Hi,

If you are running some old mailserver (RedHat 6.2 or 7.3 on a P3 
500MHz), you might wanna look at amavis-0.2.4.tar.gz at

    http://crashrecovery.org/amavis/ or
    ftp://ftp.crashrecovery.org/pub/linux/amavis/

(the old fast one, without perl) which now also automaticly selects and
configures to use ClamAV 0.90.2 if installed.

Recently we found out that McAfee's command-line AV scanner uvscan 
version 4.x cannot be used anymore as the scan.dat file has been 
changed in format. The reader is advised to upgrade to version 5.x to 
be able to continue to run amavis-0.2.x.

However with the release of amavis-0.2.4 one can drop uvscan in favor 
for ClamAV 0.90.2 (clamdscan) AntiVirus scanner, a opensource and 100% 
free package. Make sure to only run clamdscan by querying throught 
clamd. Running clamscan barebones and standalone is a broken option 
IMHO. When correctly used and configured clamav even hits the bricks of 
the road on your old mailservers...

     # clamdscan virus-20070423-3662M
       /var/virusmails/root/virus-20070423-3662: Worm.Stration.pac-1 FOUND

       ----------- SCAN SUMMARY -----------
       Infected files: 1
       Time: 0.842 sec (0 m 0 s)  (on a PIII 500MHz, 128Mb RAM RedHat 6.2
				    machine )

For more details see INSTALL.ClamAV or for (S)RPMS see

http://crashrecovery.org/amavis/clamav/

Robert
-- 
Robert M. Stockmann - RHCE
Network Engineer - UNIX/Linux Specialist
crashrecovery.org  stock@stokkie.net

In order for the nasty dudes to get their dangerous Worms and Binaries onto the User's Desktop, one must create a clean splotless message which slips through any spam filter. Here's an example Virus Found email to the admin using amavis-0.2.4 and clamav-0.90.2-3 :

From anonymous@stokkie.net Fri May 25 04:53:58 2007
Return-Path: 
Delivered-To: stock@stokkie.net
Received: (qmail 8774 invoked by alias); 25 May 2007 04:53:58 -0000
Delivered-To: virusalert@stokkie.net
Received: (qmail 8691 invoked by alias); 25 May 2007 04:53:58 -0000
Date: 25 May 2007 04:53:58 -0000
Message-ID: <20070525045358.8690.qmail@stokkie.net>
From: postmaster@stokkie.net
To: virusalert@stokkie.net
Subject: FOUND VIRUS IN MAIL from jmr@crashrecovery.org to jmr@crashrecovery.org
X-AntiVirus: scanned for viruses by AMaViS 0.2.4 (ftp://crashrecovery.org/pub/linux/amavis/)
X-AntiVirus: scanned for viruses by AMaViS 0.2.4 (ftp://crashrecovery.org/pub/linux/amavis/)
X-DSPAM-Result: Innocent
X-DSPAM-Processed: Fri May 25 06:54:00 2007
X-DSPAM-Confidence: 0.9997
X-DSPAM-Probability: 0.0000
X-DSPAM-Signature: 46566be888621804284693
X-DSPAM-Factors: 27,
	Delivered-To*virusalert, 0.00010,
	0+ClamAV, 0.00010,
	0+F, 0.00010,
	scanstatus0, 0.00010,
	rw+1, 0.00010,
	rw+1, 0.00010,
	dot+forward, 0.00010,
	dot+forward, 0.00010,
	old+scanstatus2, 0.00010,
	To*virusalert+stokkie, 0.00010,
	preline, 0.00010,
	preline, 0.00010,
	scanstatus2, 0.00010,
	Scan+4, 0.00010,
	xxxxxxxxxxxxxxxxxxFri+May, 0.00010,
	Sweep, 0.00010,
	CyberSoft, 0.00010,
	inocucmd, 0.00010,
	KasperskyLab, 0.00010,
	KasperskyLab, 0.00010,
	clamdscan, 0.00010,
	KasperskyLab+AVPDaemonClient, 0.00010,
	Subject*FOUND+VIRUS, 0.00010,
	SFX, 0.00010,
	SFX, 0.00010,
	0+Sophos, 0.00010,
	forward+forward, 0.00010
Status: RO
X-Status: 
X-Keywords:                 

The attached mail has been found to contain a virus
Originally bin/qmail-local -- alias /var/qmail/alias jmr - 
jmr crashrecovery.org jmr@crashrecovery.org |dot-forward .forward
|preline procmail
The mail has been stored as /var/virusmails/alias/virus-20070525-8394
xxxxxxxxxxxxxxxxxxFri May 25 06:53:56 CEST 2007xxxxxxxxxxxxxxxxxxxxxxx
qmail-local (0.2.4) called -- alias /var/qmail/alias jmr -
jmr crashrecovery.org jmr@crashrecovery.org |dot-forward .forward
|preline procmail
FROM: jmr@crashrecovery.org
TO: jmr@crashrecovery.org
maxlevel: 0
Unziping new_price25-May-2007.zip
Unziping new_price25-May-2007.zip.1
maxlevel: 1
Contents of /var/tmp/qmail-local8394/unpacked
/var/tmp/qmail-local8394/unpacked:
total 100
drwx------    3 alias    nofiles      4096 May 25 06:53 .
drwx------    3 alias    nofiles      4096 May 25 06:53 ..
drwx------    2 alias    nofiles      4096 May 25 06:53 SFX
-rw-------    1 alias    nofiles        37 May 25 06:53 mm.JE2lUN
-rw-------    1 alias    nofiles        36 May 25 06:53 new_price25-May-2007.zip.desc
-rw-------    1 alias    nofiles     40565 Sep 25  2004 y8481.0.exe
-rw-------    1 alias    nofiles     40565 Sep 25  2004 y8498.0.exe

/var/tmp/qmail-local8394/unpacked/SFX:
total 8
drwx------    2 alias    nofiles      4096 May 25 06:53 .
drwx------    3 alias    nofiles      4096 May 25 06:53 ..
/var/tmp/qmail-local8394/unpacked/SFX: OK
/var/tmp/qmail-local8394/unpacked/mm.JE2lUN: OK
/var/tmp/qmail-local8394/unpacked/new_price25-May-2007.zip.desc: OK
/var/tmp/qmail-local8394/unpacked/y8481.0.exe: Worm.Bagle.GV FOUND
/var/tmp/qmail-local8394/unpacked/y8498.0.exe: Worm.Bagle.GV FOUND

----------- SCAN SUMMARY -----------
Infected files: 2
Time: 0.078 sec (0 m 0 s)
H+BEDV AntiVir scanstatus0 is: 0
Mcafee scanstatus1 is: 0
Dr. Solomon (old) scanstatus2 is: 0
Dr. Solomon (new) scanstatus3 is: 0
Sophos Sweep scanstatus4 is: 0
NAI Virus Scan 4.x scanstatus5 is: 0
KasperskyLab AVP scanstatus6 is: 0
KasperskyLab AVPDaemonClient scantatus7 is: 0
F-Secure Antivirus scanstatus8 is: 0
Trend Micro FileScanner scanstatus9 is: 0
CyberSoft vfind scanstatus10 is: 0
CAI InoculateIT (inocucmd) scanstatus11 is: 0
ClamAV 0.90.2 (clamdscan) scanstatus12 is: 1

Virus FOUND Sent notification to virusalert


!DSPAM:46566be888621804284693!