[clamav-users] ClamAV+exim: scanner finds not a single malware

Groach groachmail-stopspammingme at yahoo.com
Sat May 28 17:01:22 EDT 2016


On 28/05/2016 20:06, Dennis Peterson wrote:
> Trying to get useful information from your posts - would it be 
> possible to show the official and unofficial signatures that returned 
> positive detection?
>
> dp
>


No problem.

Here are the scan results from the log (remember I have already given 
you a list of the files being scanned earlier):

CLAMAV only:

Scan Started Sat May 28 17:06:36 2016
-------------------------------------------------------------------------------


D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\eicar.com: 
Eicar-Test-Signature FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Incident_6256120.zip: 
Win.Trojan.Generickd-494 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\PORDER.7z: 
Doc.Trojan.Locky-1 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\PORDER.DOC: 
Doc.Trojan.Locky-1 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Purchase Order 
0000035394.7z: Win.Trojan.Downloader-66488 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\[SPAM] [5.2] Missed 
package delivery.eml: Win.Trojan.Generickd-2728 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\Ar01_Annual_Return.zip: 
Win.Trojan.Generickd-513 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.exe: 
Win.Trojan.Dalexis-23 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.rar: 
Win.Trojan.Dalexis-23 FOUND
D:\DecroData\ACCESS 
tests\VIRUSES-take_care_DO_NOT_RUN\VirusTestFolder\contention_111924953056769_6STQZ57.txt: 
Win.Trojan.Dalexis-23 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4397481
Engine version: 0.99.1
Scanned directories: 0
Scanned files: 24
Infected files: 10
Data scanned: 5.27 MB
Data read: 1.48 MB (ratio 3.57:1)
Time: 15.429 sec (0 m 15 s)




with SANE defs:

Scan Started Sat May 28 17:13:36 2016
-------------------------------------------------------------------------------


D:\DecroData\ACCESS tests\VirusTestFolder\4_218_66.dot: 
Sanesecurity.Rogue.0hr.20160526-1142.MacroImg.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\6615166920.doc: 
Sanesecurity.Badmacro.Doc.shellv.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\7193113168.doc: 
Sanesecurity.Badmacro.Doc.shellv.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Ar01_Annual_Return.zip: 
Win.Trojan.Generickd-513 FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Asia_Cn domain name & Internet 
Keyword.eml: Sanesecurity.Junk.12090.UNOFFICIAL FOUND
D:\DecroData\ACCESS 
tests\VirusTestFolder\contention_111924953056769_6STQZ57.exe: 
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS 
tests\VirusTestFolder\contention_111924953056769_6STQZ57.rar: 
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS 
tests\VirusTestFolder\contention_111924953056769_6STQZ57.txt: 
Sanesecurity.Malware.ExeHeur.24328.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\eicar.com: 
Eicar-Test-Signature FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Incident_6256120.zip: 
Sanesecurity.Foxhole.Zip_scr.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Inflame your impulse to 
maximum_POP.eml: Sanesecurity.Jurlbl.cbc8b5.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\invoice_copy_20162743.zip: 
Sanesecurity.Foxhole.Zip_fs211.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\NA8T3OCYI2W8.doc: 
Sanesecurity.Badmacro.Doc.badps1.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\New Monthly estatement is 
ready - MBNA.eml: Sanesecurity.Jurlbl.5c480f.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\New Purchase Order for CTY TM 
PHUC LOC TNHH.eml: Sanesecurity.Malware.25166.AceHeur.Exe.UNOFFICIAL FOUND
D:\DecroData\ACCESS 
tests\VirusTestFolder\order_20140930_56311643656.zip: 
Sanesecurity.Foxhole.Zip_Exenum.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\PORDER.7z: Doc.Trojan.Locky-1 
FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\PORDER.DOC: Doc.Trojan.Locky-1 
FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Purchase Order 0000035394.7z: 
Sanesecurity.Badmacro.Doc.shellv3.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\Remittance Advisory Email.eml: 
Sanesecurity.Malware.25157.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\SPAM filter not applied     (  
Fwd  BUY CILAIS & VIGARA -73% Discount! 1 day shipping!).eml: 
Sanesecurity.Junk.31186.UNOFFICIAL FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\[SPAM] [5.2] Missed package 
delivery.eml: Win.Trojan.Generickd-2728 FOUND
D:\DecroData\ACCESS tests\VirusTestFolder\[SPAM] [5.7] Remittance Advice 
for 407.74 GBP.eml: Sanesecurity.Malware.24631.XlsHeur.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4512349
Engine version: 0.99.1
Scanned directories: 1
Scanned files: 24
Infected files: 23
Data scanned: 3.92 MB
Data read: 1.48 MB (ratio 2.65:1)
Time: 17.206 sec (0 m 17 s)




> On 5/28/16 9:42 AM, Groach wrote:
>> They are all virus attachments (some still attached to emails, some 
>> detached from the email and simply saved as the attachment) with 
>> exception of the one 'viagra cialis....eml' which is a link to an 
>> unwanted website.
>>
>> If you want to determine how damaging, Im quite happy to send them to 
>> you if you doubt me. (Go on....put your faith in ClamAV!)
>>
>>
>>
>> On 28/05/2016 18:29, Dennis Peterson wrote:
>>> Are these true viruses or otherwise harmful (and if so how is that 
>>> known) or does the list include messages that are unwanted junk 
>>> mail? If junk mail, which is subjective, there will always be 
>>> differences between vendor signatures because nobody agrees about 
>>> what is and is not junk mail.
>>>
>>> dp
>>>
>>> On 5/28/16 9:21 AM, Groach wrote:
>>>> In case you are wondering, and for fairness of evaluation, here are 
>>>> the files, and their dates:
>>>>
>>>
>>> _______________________________________________
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml




More information about the clamav-users mailing list