How to test ClamAV

Post by Alex Davidson
I am running ClamAV tying into ASSP on Debian 4.
To test ClamAV I have tried using
http://www.aleph-tec.com/eicar/index.php to send myself EICAR test
virus strings but firstly only 3 of the 7 tests hit my mail server,
and secondly ClamAV doesn't detect anything, yet the next-level AV
detects it just fine.

What is being logged by the ClamAV software?

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Steve Basford

2009-02-06 13:54:14 UTC

Post by Alex Davidson
send myself EICAR test
virus strings but firstly only 3 of the 7 tests hit my mail server,
and secondly ClamAV doesn't detect anything, yet the next-level AV
detects it just fine.

I tried to send the 7 tests to my main address... only 3 arrived

(the clean one - and 2 of the password protected one)

My ISP probably filtered out the others.

I can't see ClamAV detecting these two... as it doesn't know the password to decide the insides)

eicarpasswd.zip (new! - zip compressed eicar.com with password)
eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

You could add a signature to detect the above.. but it would ONLY work with the above EICAR test and the SAME password.

Cheers,

Steve
Sanesecurity

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Noel Jones

2009-02-06 14:51:01 UTC

I tried to send the 7 tests to my main address... only 3 arrived
(the clean one - and 2 of the password protected one)

I received the same thing.

Post by Steve Basford
My ISP probably filtered out the others.

My ISP does no filtering; either the test messages were
blocked at the source (ISP/webhost egress filtering) or they
were never sent.

As for the encrypted files, nothing can check inside an
encrypted zip, but they can be blocked based on a file name
inside the zip, or clamd can mark all encrypted zips by
setting "ArchiveBlockEncrypted yes" in clamd.conf

At any rate, this test appears useless. Find another one.

--
Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Alex Davidson

2009-02-06 15:45:17 UTC

Interesting...if I create a plain text email with the eicar text in
it, ClamAV detects it successfully.

Can anyone suggest another way to send myself a
non-password-protected/encrypted attachment that ClamAV might have a
chance at detecting?
It's either that or disable my workstation AV and server AV to send
one out and back in that way - kind of a pain.

Thanks!

I tried to send the 7 tests to my main address... only 3 arrived
(the clean one - and 2 of the password protected one)

I received the same thing.

Post by Steve Basford
My ISP probably filtered out the others.

My ISP does no filtering; either the test messages were
blocked at the source (ISP/webhost egress filtering) or they
were never sent.
As for the encrypted files, nothing can check inside an
encrypted zip, but they can be blocked based on a file name
inside the zip, or clamd can mark all encrypted zips by
setting "ArchiveBlockEncrypted yes" in clamd.conf
At any rate, this test appears useless. Find another one.
--
Noel Jones

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Andy

2009-02-06 15:59:45 UTC

You'll need to find a nastie that your local/server AV don't detect, but
ClamAV does. Or make an exception for a file extention... rename eicar.txt
to eicar.z43 (something random) and make sure your server and local av will
ignore that file extention.

Post by Alex Davidson
Interesting...if I create a plain text email with the eicar text in
it, ClamAV detects it successfully.
Can anyone suggest another way to send myself a
non-password-protected/encrypted attachment that ClamAV might have a
chance at detecting?
It's either that or disable my workstation AV and server AV to send
one out and back in that way - kind of a pain.
Thanks!

I tried to send the 7 tests to my main address... only 3 arrived
(the clean one - and 2 of the password protected one)

I received the same thing.

Post by Steve Basford
My ISP probably filtered out the others.

My ISP does no filtering; either the test messages were
blocked at the source (ISP/webhost egress filtering) or they
were never sent.
As for the encrypted files, nothing can check inside an
encrypted zip, but they can be blocked based on a file name
inside the zip, or clamd can mark all encrypted zips by
setting "ArchiveBlockEncrypted yes" in clamd.conf
At any rate, this test appears useless. Find another one.
--
Noel Jones

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

--
-Xinn.org
Security, and Sanity Solutions
The makers of ClearSite NMS.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Dennis Peterson

2009-02-06 16:31:07 UTC

Post by Andy
You'll need to find a nastie that your local/server AV don't detect, but
ClamAV does. Or make an exception for a file extention... rename eicar.txt
to eicar.z43 (something random) and make sure your server and local av will
ignore that file extention.

It's not that difficult if you've properly set up the system to check
for outgoing viruses as well as incoming viruses. You need only send a
sample virus to a friend or test address. ClamAV doesn't care which way
the bug is going - it should reject it before it leaves the building.

Checking for outgoing viruses does seem to be an alien concept for some
mail admins, though.

dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Madhuri Somavarapu

2009-02-06 18:08:36 UTC

Hi,

I installed clamav on my machine. I am using it for scanning files not for my mail server I want to know what kind of maintainence needed for this software (Like upgrades).

Does it scan all kind of basic document types like Microsoft products, Adobe, Txt files?

Where can I find the virus file that I can test my program with?

Thanks

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

d***@davidwbrown.name

2009-02-06 18:26:13 UTC

Hello, this was just discussed: http://tools.declude.com. Apparently only the first two on the pull-down menu are of any value. HTH, David.

Madhuri Somavarapu wrote ..

Post by Madhuri Somavarapu
Hi,
I installed clamav on my machine. I am using it for scanning files not for my mail
server I want to know what kind of maintainence needed for this software (Like
upgrades).
Does it scan all kind of basic document types like Microsoft products, Adobe, Txt files?
Where can I find the virus file that I can test my program with?
Thanks
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

McDonald, Dan

2009-02-06 18:38:50 UTC

Upgrades are not automatic, so watch the user list, or at least the
announce list, for information on new versions.

You should have some program verify that clamd and freshclam are
running. I have running procs reported to my xymon server, and alert if
either of those two daemons goes away, but there are plenty of ways to
do that.

If you are interested in 3rd party signatures, then there will be
significantly more maintenance. A few Google searches should get you
started on 3rd-party signatures.

Post by Madhuri Somavarapu
Does it scan all kind of basic document types like Microsoft products, Adobe, Txt files?

Yes, and many not-so-basic types. Some of that scanning needs to be
explicitly enabled - see the clamd.conf file for details.

Post by Madhuri Somavarapu
Where can I find the virus file that I can test my program with?

eicar.com

--
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com

Nigel Horne

2009-02-06 18:46:56 UTC

Post by McDonald, Dan

Upgrades are not automatic, so watch the user list, or at least the
announce list, for information on new versions.

These are indeed good places to look, but they are often "after the
fact". We pre-announce upcoming upgrades on www.clamav.net, so you
should also keep an eye out there.

-Nigel
--
Nigel Horne, ***@sourcefire.com
Director of Product Management (ClamAV), Sourcefire,
http://www.sourcefire.com
+1 301 518 7944 or +1 706 705 4022 FAX: +44 870 705 9334 ICQ: 20252325

ClamAV is a registered trademark of Sourcefire Inc.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

Noel Jones

2009-02-06 16:36:10 UTC

--
Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

d***@davidwbrown.name

2009-02-06 16:09:44 UTC

Hello Alex, I don't have a definitive test either. I have recently installed ClamAV on my gateway/router/firewall/smtp Linux box. I tried the canned test as suggested in the ClamAV doco but I could not see anything definitive. I agree that a real email from the <outside> would be a definitive test. Since ClamAV is running on a Linux box a Windows virus in an email attachment would be the best test without actually exposing the Linux box to compromise. I must admit that I would be reluctant to do this myself as the reason I installed ClamAV is I recently rid my local Windows boxes of a vicious browser hijack trojan. The source of this trojan was in all-likelihood not from email but from a link embedded in a normal html page. BTW: what is the EICAR test I will try this myself. Regards, :-),
David.

Alex Davidson wrote ..

I tried to send the 7 tests to my main address... only 3 arrived
(the clean one - and 2 of the password protected one)

I received the same thing.

Post by Steve Basford
My ISP probably filtered out the others.

My ISP does no filtering; either the test messages were
blocked at the source (ISP/webhost egress filtering) or they
were never sent.
As for the encrypted files, nothing can check inside an
encrypted zip, but they can be blocked based on a file name
inside the zip, or clamd can mark all encrypted zips by
setting "ArchiveBlockEncrypted yes" in clamd.conf
At any rate, this test appears useless. Find another one.
--
Noel Jones

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

d***@davidwbrown.name

2009-02-06 17:19:18 UTC

Hello Noel, yep it worked. The eicar message was found but not before a user with enough time to open the mail message and the attachement. And, it is difficult to tell exactly which message is the culprit because all I see from the CRON log email is:

/Maildir/cur/1233939406.Vfd00I270080M968444.davidwbrown.name:2,S: Eicar-Test-Signature FOUND

And, the gadgetry set-up to automatically send email to users with FOUND signatures did not trigger.

I suppose I need to run ClamAV as daemon and ditch the CRON job.

Thanks, David.

Noel Jones wrote ..