[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] How capable is ClamAV?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-09-15 14:06, Anton Aylward wrote:
> On 09/14/2014 11:53 AM, Carlos E. R. wrote:
>> On 2014-09-14 17:18, pinguin74 wrote:
>>>> What is your opinion about the strength of ClamAV?
>> I now and then I receive malware in email it does not detect.
>> Sometimes Avira does. And other times it is the other way round.
> 
> I'm curious as to what that malware might be? Was it something that
> was Windows-specific or might it have some effect on Linux?

So far, Windows specific, and very little.

my amavis simply bans any exe file in attachments, even inside zips,
and they are apparently not scanned then by the antivirus. I see I get
some of them.

Mail positives detected by the antivirus itself are scarce, none this
year unless I goofed somewhere (I have to check).

Otherwise, I got:

    Email.Trojan-277
    virus Email.Trojan-277
    Email.Trojan-303, Trojan.Spy.Zbot-566
    Email.Trojan-280, Suspect.Trojan.Generic.FD-1
    Email.Trojan-280, BC.Heuristic.Trojan.SusPacked.BF-6.B
    BC.Heuristic.Trojan.SusPacked.BF-6.A


Amavis does not, afaik, create a log of the malware that it filters.
What, from, to, date, subject, would be nice.


And, by the way, Avira antivir has moved out of the Linux business, so
the only free antivirus that I know in Linux that still works is clamav.


My "banned" mail folder contains entries now and then with zip
archives, that I guess might contain PDFs or DOCs. I would have to
manually look inside. Let me see...

Invoice_8990040.zip  -->  Invoice_24042014.scr
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan  --> clean.

VoiceMail.zip --> VOICE347-643-6325.scr
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan  --> clean.

invoice 7941461.zip  --> invoice 8820122/invoice 8820122.exe
        PE32 executable (GUI) Intel 80386, for MS Windows
        clamscan, antivir  --> clean.


So you see, clamav in those cases would have been totally useless, 3
of 3. It is amavis which bans them simly because they are
executable... Most claim to be a document, but they are runable files
inside zips. I don't see a .doc file, but then I have not opened all zips.

If I got those emails in Windows, and I be using clamav or avira, I
could be hosed... except that I do not click to open unrequested zips.

- -- 
Cheers / Saludos,

		Carlos E. R.
		(from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlQW4B0ACgkQtTMYHG2NR9WoBgCgiWnMSC3EIpvw6Jmhb2zh7xP6
gqUAn2Rlagm0Md7KMIk13xnx0Z7J2SmU
=13KW
-----END PGP SIGNATURE-----
-- 
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx