-----Original Message----- From: Don Parris [mailto:dcparris@earthlink.net] Sent: 10 March 2004 18:11 To: suse-security@suse.com Subject: Re: AW: [suse-security] NAI on unix do not find actual virus
On Wed, 10 Mar 2004 12:53:31 +0100 "Mrvka Andreas"
wrote: -----Ursprüngliche Nachricht----- Von: Tom Knight [mailto:thomas.knight@ahds.ac.uk] Gesendet: Mittwoch, 10. März 2004 12:34
-----Original Message----- From: GarUlbricht7@netscape.net [mailto:GarUlbricht7@netscape.net] Sent: 10 March 2004 07:49
"Mrvka Andreas"
wrote: hi,
i use the NAI product for my SuSE Linux 9 distribution. VirusScan for Unix: with actual engine and Dat file...
----<text snipped>---
i copied the exe file out of the zip file and ran the uvscan but nevertheless i was unsuccessful :-(
And you are unhappy ???
yes, i AM unhappy! for a mailserver virus scanning it's so nice, to let viruses go
through...
My father has a saying:
"Don't go looking for trouble, it will find you soon enough."
Unless you have a test environment that is off the web, please don't go opening up stange files...
Indeed.
Looking at this again, you probably want to test using the eicar test file, http://www.eicar.org/anti_virus_test_file.htm. It's a harmless text file that all AV software detecta as a virus.
No I won't send it to you - my mail server probably wouldn't let it through!
i know this virus. i fact, my virus scan detect all viruses except this one which is in a password protected zip file.
NAI's product based on microsoft servers can detect him.
I try to ask NAI directly, as i read here...
Tom.
thanks, Andrew
Is it not well known that the virus scanners are not able to detect this virus precisely because it is in a password protected zip file? The Virus SWAT team at my job posed this very issue when announcing the virus to employees. The team instructed employees to delete the e-mail, or forward it to the team for analysis. The password is supposed to be included in the body of the e-mail, which you're supposed to open yourself so the virus can then do it's thing. The whole purpose, I gather, for putting the virus in the zip file was to avoid detection by the scanners. I was not aware that NAI had the ability to detect the visurs on Windows servers.
Has anyone here tried the possible method I mentioned in an earlier post? "Okay, how to get round this? Possibly tell your scanner to reject .zip files containing files with extension .exe+. .com+ etc etc. I haven't actually received a single one of these .zip files, but the above tip was one I saw on the NTBugTraq list which apparently works with Norton Anti-Virus for Exchange V2.1. I imagine amavis/clamAV would be able to be configured this way." Tom.