Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: ClamAV: users

A trojan is not blocked

  

 
ClamAV users RSS feed   Index | Next | Previous | View Threaded


unix.ivan at aol

Oct 25, 2011, 5:55 AM

Post #1 of 5 (602 views)
Permalink
A trojan is not blocked
Hello,

I saw an interesting behavior related with for example with Email.Trojan-234.
Configuration amavisd + ClamAV.
When a message arrive with content as follow (some parts of original content has been removed):

The XXX transaction (ID: xxxxxxxxxxxx), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

Rejected transaction
Transaction ID: xxxxxxxxxxxx

Reason of rejection See details in the report below

Transaction Report
report_xxxxxxxxxx.pdf.exe (self-extracting archive, Adobe PDF)
Please click here to download report:
http://xxxxxxx.com/xxxxx/xxxxx.html


------------


Message is passed.
But if the same message is sent to an unknown user and an NDR with attached original mail is generated, then NDR with attached original message is blocked properly.

I just wondering why original message passed, but NDR (with attached original message) was blocked.

Thank you in advance!

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


cswiger at mac

Oct 25, 2011, 9:20 AM

Post #2 of 5 (569 views)
Permalink
Re: A trojan is not blocked [In reply to]
On Oct 25, 2011, at 5:55 AM, Ivan Ivanov wrote:
> Configuration amavisd + ClamAV.
[ ... ]
> I just wondering why original message passed, but NDR (with attached original message) was blocked.

amavisd is probably not setup to pass the raw message to clamd for scanning. See whether bypass_decode_parts is on in amavisd.conf, and/or check your keep_decoded_original_maps setting. Sanesecurity has mention of this issue here:

http://www.sanesecurity.com/problems.htm

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


unix.ivan at aol

Oct 25, 2011, 10:53 PM

Post #3 of 5 (568 views)
Permalink
Re: A trojan is not blocked [In reply to]
Hello Chuck,

Thank you very much for provided information.

With best regards,

Ivan







-----Original Message-----
From: Chuck Swiger <cswiger [at] mac>
To: ClamAV users ML <clamav-users [at] lists>
Sent: Tue, Oct 25, 2011 7:20 pm
Subject: Re: [clamav-users] A trojan is not blocked


On Oct 25, 2011, at 5:55 AM, Ivan Ivanov wrote:
> Configuration amavisd + ClamAV.
[ ... ]
> I just wondering why original message passed, but NDR (with attached original
message) was blocked.

amavisd is probably not setup to pass the raw message to clamd for scanning.
See whether bypass_decode_parts is on in amavisd.conf, and/or check your
keep_decoded_original_maps setting. Sanesecurity has mention of this issue
here:

http://www.sanesecurity.com/problems.htm

Regards,
--
-Chuck

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


kristen.eisenberg at yahoo

Nov 5, 2011, 4:51 AM

Post #4 of 5 (517 views)
Permalink
A trojan is not blocked [In reply to]
testing

Kristen Eisenberg
Billige Flüge
Marketing GmbH
Emanuelstr. 3,
10317 Berlin
Deutschland
Telefon: +49 (33)
5310967
Email:
utebachmeier at
gmail.com
Site:
http://flug.airego.de
- Billige Flüge vergleichen
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml


nielsjende at googlemail

Nov 5, 2011, 5:13 AM

Post #5 of 5 (521 views)
Permalink
Re: A trojan is not blocked [In reply to]
Hi Kirsten!

Would be helpful if you would provide us some more details!Otherwise
there is no way helping you!

Cheers
Niels


Am 05.11.11 schrieb Kristen Eisenberg <kristen.eisenberg [at] yahoo>:
> testing
>
> Kristen Eisenberg
> Billige Flüge
> Marketing GmbH
> Emanuelstr. 3,
> 10317 Berlin
> Deutschland
> Telefon: +49 (33)
> 5310967
> Email:
> utebachmeier at
> gmail.com
> Site:
> http://flug.airego.de
> - Billige Flüge vergleichen
> _______________________________________________
> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
> http://www.clamav.net/support/ml

--
Gesendet von meinem Mobilgerät
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml

ClamAV users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.