[clamav-users] clamav-0.98.3 does not pass vulnerability scan

anctop anctop at gmail.com
Mon May 26 07:56:32 UTC 2014 

I've synchronized all the feeds (NVT, SCAP, CERT) to ensure that the
scan conditions are identical.

Firstly, with clamav-0.98.3, the same "high threat" was reported :

> NVT:    SMTP antivirus scanner DoS
> OID:    1.3.6.1.4.1.25623.1.0.11036
> Threat: High (CVSS: 7.2)
> Port:   smtp (25/tcp)
>
> The file 42.zip was sent 2 times. If there is an antivirus in your MTA, it might
> have crashed. Please check its status right now, as it is
> not possible to do so remotely
>
> Vulnerability Detection Method:
> Details:
> SMTP antivirus scanner DoS
> (OID: 1.3.6.1.4.1.25623.1.0.11036)

The postmaster account got 2 messages, with subject lines "OpenVAS
antivirus DoS 1: base64 attachment" and "OpenVAS antivirus DoS 2:
uuencoded attachment", each has a copy of "42.zip" attached, plus 1
message with subject line "OpenVAS test - ignore it". The clamd.log
file remained clean.

Then revert to clamav-0.98.1 and only a "log threat" was reported :

> NVT:    SMTP antivirus scanner DoS
> OID:    1.3.6.1.4.1.25623.1.0.11036
> Threat: Log (CVSS: 7.2)
> Port:   smtp (25/tcp)
>
> For some reason, we could not send the 42.zip file to this MTA
>
> Vulnerability Detection Method:
> Details:
> SMTP antivirus scanner DoS
> (OID: 1.3.6.1.4.1.25623.1.0.11036)

The postmaster account got only 1 message with subject line "OpenVAS
test - ignore it", but the clamd.log files reported 2 alerts :

> fd[10]: Trojan.ArcBomb-1 FOUND
> fd[10]: Trojan.ArcBomb-1 FOUND

It seems that the difference was because clamav-0.98.3 failed to
detect the "Trojan.ArcBomb-1".
If this is the real cause, then the case is not a "false positive",
but some definition is missing in clamav-0.98.3.


On 25/05/2014, Greg Folkert <greg at donor.com> wrote:

> On Sun, 2014-05-25 at 11:37 +0800, anctop at gmail.com wrote:
>> Thank you for your info.
>>
>> I do apt to conclude this as a "false positive", but clamav-0.98.1 does
>> not
>> yield "high threat" warnings under the same scan conditions :
>
> And you back-rev'd and installed 0.98.1 and rescanned. I'm wondering if
> the scanner updated its rules or signatures or plugin used to detect.
>
> Sometimes they get a bit overzealous in changes and step over the
> line... especially with CVSS of 7 or higher. It is worth looking to to
> figure out when the plugin was updated.
>
>> > NVT:    SMTP antivirus scanner DoS
>> > OID:    1.3.6.1.4.1.25623.1.0.11036
>> > Threat: Log (CVSS: 7.2)
>> > Port:   smtp (25/tcp)
>> >         submission (587/tcp)
>> >
>> > For some reason, we could not send the 42.zip file to this MTA
>> >
>> > Vulnerability Detection Method:
>> > Details:
>> > SMTP antivirus scanner DoS
>> > (OID: 1.3.6.1.4.1.25623.1.0.11036)
>>
>> I wish some expert can account for this difference before the "false
>> positive" conclusion.
>>
>
> --
> greg folkert - systems administration and support
> web:    donor.com
> email:  greg at donor.com
> phone:  877-751-3300 x416
> direct: 616-328-6449 (direct dial and fax)
> "There is always the need to carry on."
>     -- Marjory Stoneman Douglas

More information about the clamav-users mailing list