clamav-users August 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [Clamav-users] Clamd not detecting eicar string wi

[Clamav-users] Clamd not detecting eicar string with Telne interface

From: M Rajesh-B22236 <rajesh.madabushi_at_nospam>
Date: Thu Aug 06 2009 - 08:15:41 GMT
To: <clamav-users@lists.clamav.net>


I am not sure whether my previous response reached the mailing list or not so replying it again.

Thank you Edwin, for very quick response.

Sorry, I forgot to paste following header in my last query.

Content-Type: multipart/mixed; boundary="=-E6uObbGoQ4lkg+aYaH2/"

Actually I was sending the above header as part of virus scanning to clamd.
With 'Content-Type' header also clamd not detecting the Eicar. Moreover I able to open Eicar string attachment in mail client, means virus mail got opened up in the Email client, it is a problem.

One observation is with the addition of 'From:' header clamd detected Eicar string.
Also Eicar got detected with 'Subject:' header contents. That is just add some data to subject portion and send the above data(with or without From:) Eicar string got detected.

It appears clamd expecting some SMTP message header as part of the email data portion. If headers are not proper clamd sending the virus mail as clean mail instead of retuning error. it crates problem, a chance for evasion, we need to protect it.

Please comment.

Thanks,
Rajesh
-----Original Message-----
From: clamav-users-bounces@lists.clamav.net [mailto:clamav-users-bounces@lists.clamav.net] On Behalf Of clamav-users-request@lists.clamav.net
Sent: Sunday, August 02, 2009 3:30 PM
To: clamav-users@lists.clamav.net
Subject: clamav-users Digest, Vol 59, Issue 2

Send clamav-users mailing list submissions to

        clamav-users@lists.clamav.net

To subscribe or unsubscribe via the World Wide Web, visit

        http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users or, via email, send a message with subject or body 'help' to

        clamav-users-request@lists.clamav.net

You can reach the person managing the list at

        clamav-users-owner@lists.clamav.net

When replying, please edit your Subject line so it is more specific than "Re: Contents of clamav-users digest..."

Today's Topics:

  1. Re: Clamd not detecting eicar string with Telnet interface (T?r?k Edwin)

Message: 1
Date: Sat, 01 Aug 2009 13:00:59 +0300
From: T?r?k Edwin <edwintorok@gmail.com> Subject: Re: [Clamav-users] Clamd not detecting eicar string with

        Telnet interface
To: ClamAV users ML <clamav-users@lists.clamav.net> Message-ID: <4A74125B.7090609@gmail.com> Content-Type: text/plain; charset=ISO-8859-1

On 2009-08-01 10:50, M Rajesh-B22236 wrote:
> CLAM AV version we used is 0.94.2
>
> I used Telnet client to send a mail with Eicar string in a file as
> attachment.
>
> Expecting clamd to detect it as virus mail, but instead it returned as

> clean mail.
>
> This is working fine with any email client, problem is coming by using

> Telnet
>
> interface only.
>
> Following is the data that send to clamd for scanning;
>

This is not an email, what email client opens it and displays the attachment properly?

> Subject:
>

You are missing some headers here:
From
Content-Type: multipart/mixed; boundary="=-E6uObbGoQ4lkg+aYaH2/"

If you add those, then clamav detects eicar, I don't see a problem here.

> --=-E6uObbGoQ4lkg+aYaH2/
>
> Content-Type: text/plain
>
> Content-Transfer-Encoding: 7bit
>
>
>
>
>
> --=-E6uObbGoQ4lkg+aYaH2/
>
> Content-Disposition: attachment; filename=eicar.com
>
> Content-Type: text/plain; name=eicar.com; charset=us-ascii
>
> Content-Transfer-Encoding: 7bit
>
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>
> --=-E6uObbGoQ4lkg+aYaH2/--
>
> .
>
> Can any one suggest reason for the above problem ?
>
> One guess is SMTP clients will also sends SMTP message headers like
> From,To,Content-Type,Message-Id, Mime-Version,etc as part of data and
> same is not the case for Telnet.
>

Does your mail server even accept the above mail? Which mail server is it?

> But I think clamd should return error in case of any failures of SMTP
> header parsing instead of sending it as clean mail.
>

That would lead to many false positives, not all emails follow the RFC standard.

Best regards,
--Edwin




clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

End of clamav-users Digest, Vol 59, Issue 2




Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml