[clamav-users] clamav-0.98.3 does not pass vulnerability scan

anctop at gmail.com anctop at gmail.com
Sun May 25 03:37:53 UTC 2014 

Thank you for your info.

I do apt to conclude this as a "false positive", but clamav-0.98.1 does not 
yield "high threat" warnings under the same scan conditions :

> NVT:    SMTP antivirus scanner DoS
> OID:    1.3.6.1.4.1.25623.1.0.11036
> Threat: Log (CVSS: 7.2)
> Port:   smtp (25/tcp)
>         submission (587/tcp)
>
> For some reason, we could not send the 42.zip file to this MTA
>
> Vulnerability Detection Method:
> Details:
> SMTP antivirus scanner DoS
> (OID: 1.3.6.1.4.1.25623.1.0.11036)

I wish some expert can account for this difference before the "false 
positive" conclusion.


On Sat, 24 May 2014, Greg Folkert wrote:

> If this is like other "assumption based" Vulnerability scanning engines
> (Rapid7 and Nessus and others)...
>
> This is a return that is classified as a False Positive. Since you've
> proven that it isn't doing what it thinks it is doing.
>
> If your Scanners works as expected and not as described, then you can
> file a false positive determination with your scanning vendor.
>
> On Sat, 2014-05-24 at 21:42 +0800, anctop at gmail.com wrote:
>> Yes. After each modification, I ran "killall -HUP -e clamd" to restart clamd.
>>
>> The scan report reads :
>>
>>> NVT:    SMTP antivirus scanner DoS
>>> OID:    1.3.6.1.4.1.25623.1.0.11036
>>> Threat: High (CVSS: 7.2)
>>> Port:   smtp (25/tcp)
>>>         submission (587/tcp)
>>>
>>> The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it
>>> might have crashed. Please check its status right now, as it is
>>> not possible to do so remotely
>>>
>>> Vulnerability Detection Method:
>>> Details:
>>> SMTP antivirus scanner DoS
>>> (OID: 1.3.6.1.4.1.25623.1.0.11036)
>>
>> but both clamav-milter and clamd were still working well.
>>
>>
>> On Fri, 23 May 2014, Matus UHLAR - fantomas wrote:
>>
>>> On 23.05.14 11:50, anctop wrote:
>>>> I've tried to change the value of "MaxRecursion" in clamd.conf to 4
>>>> and 44 respectively, but both experiments yield the same result.
>>>
>>> Did you reload/restart clamd afterwards? What was the result?
>>>
>>>> Can it be a problem with the MTA ?
>>>
>>> I can't tell you without the information above
>>> --
>>> Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
>>> Warning: I wish NOT to receive e-mail advertising to this address.
>>> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
>>> Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>> http://www.clamav.net/support/ml
>
> -- 
> greg folkert - systems administration and support
> web:    donor.com
> email:  greg at donor.com
> phone:  877-751-3300 x416
> direct: 616-328-6449 (direct dial and fax)
> "All sweeping assertions are erroneous."
>    -- Letitia Elizabeth Landon

More information about the clamav-users mailing list