From clamav-users-bounces@lists.clamav.net  Sun Sep 11 01:26:58 2005
Return-Path: <clamav-users-bounces@lists.clamav.net>
X-Original-To: list@krisma.oltrelinux.com
Delivered-To: list@krisma.oltrelinux.com
Received: from [127.0.0.1] (krisma [127.0.0.1])
	by mail.oltrelinux.com (Postfix) with ESMTP id 68BD811B26F;
	Sun, 11 Sep 2005 01:26:48 +0200 (CEST)
X-Original-To: clamav-users@krisma.oltrelinux.com
Delivered-To: clamav-users@krisma.oltrelinux.com
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.192])
	by mail.oltrelinux.com (Postfix) with ESMTP id 4CA1111B263
	for <clamav-users@lists.clamav.net>;
	Sun, 11 Sep 2005 01:26:40 +0200 (CEST)
Received: by zproxy.gmail.com with SMTP id 4so75257nzn
	for <clamav-users@lists.clamav.net>;
	Sat, 10 Sep 2005 16:26:34 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:references;
	b=K/pGnOafu10iMVa/jwxVHV6jLBRFC0/DWsm2+r7B4BeSA6SSLEcEkxm6TnEZwxqg1HWw/EsEuZyeUaFiKj2vgOXZZj/tGy1N1RCbrzVfIm0QDRDzXi69r66H38g+Veiy4bcZcw+9EVRkOIUjNP9z4V2WORBBodRIgF7UnwYVJ8Q=
Received: by 10.37.15.41 with SMTP id s41mr1636832nzi;
	Sat, 10 Sep 2005 16:26:34 -0700 (PDT)
Received: by 10.36.79.9 with HTTP; Sat, 10 Sep 2005 16:26:34 -0700 (PDT)
Message-ID: <96cb014f05091016267c5dfade@mail.gmail.com>
Date: Sat, 10 Sep 2005 16:26:34 -0700
From: "Roger E. Rustad, Jr." <roger.rustad@gmail.com>
To: ClamAV users ML <clamav-users@lists.clamav.net>
Subject: Re: [Clamav-users] pandasoftware distributing Sirius.Annihilator.272?
In-Reply-To: <43236467.6020507@precompiled.de>
Mime-Version: 1.0
References: <Pine.LNX.4.61.0509101342540.12132@patascoy.ovsp.gov.co>
	<20050910194528.GA484@ns2.wananchi.com> <43233CD0.5070001@campbus.com>
	<43236467.6020507@precompiled.de>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
X-BeenThere: clamav-users@lists.clamav.net
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
List-Id: ClamAV users ML <clamav-users.lists.clamav.net>
List-Unsubscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=unsubscribe>
List-Post: <mailto:clamav-users@lists.clamav.net>
List-Help: <mailto:clamav-users-request@lists.clamav.net?subject=help>
List-Subscribe: <http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users>,
	<mailto:clamav-users-request@lists.clamav.net?subject=subscribe>
Sender: clamav-users-bounces@lists.clamav.net
Errors-To: clamav-users-bounces@lists.clamav.net
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at krisma.oltrelinux.com
X-Spam-Status: No, hits=0.2 tagged_above=-999.0 required=6.0 tests=AWL,
	BAYES_50, NORMAL_HTTP_TO_IP, RCVD_BY_IP
X-Spam-Level: 

When I click those links, my Watchguard 700 reports:

WatchGuard firewall: Response denied from=20
http://208.254.57.135:80/activescan/as5free/motor.cab: Unsafe content type=
=20
"application/octet-stream"



On 9/10/05, Christoph Cordes <ib@precompiled.de> wrote:
>=20
> BitFuzzy wrote:
> > Odhiambo Washington wrote:
> >
> >> * On 10/09/05 13:47 -0500, Pablo Chamorro C. wrote:
> >>
> >>
> >>> I managed to deploy squid + havp + clamav for antivirus control of
> >>> web pages/files, and for my surprise this morning I found:
> >>>
> >>> 10/09/2005 13:08:36
> >>> http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
> >>> Sirius.Annihilator.272
> >>> 10/09/2005 13:09:22
> >>> http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
> >>> Sirius.Annihilator.272
> >>> 10/09/2005 13:10:09
> >>> http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
> >>> Sirius.Annihilator.272
> >>> 10/09/2005 13:15:06
> >>> http://www.pandasoftware.com/activescan/as5free/motor.cab Virus:
> >>> Sirius.Annihilator.272
> >>>
> >>> Some comment?
> >>>
> >>
> >>
> >> ClamAv is right about the virus! At least it tells me the same when I
> >> try to download that file. Funnily, I use DansGuardian, not HAVP. We
> >> get the same results. So if anyting is 'wrong', it is clamav.
> >>
> >>
> >>
> > The file scan'd fine with PcCillin as well.
> >
> > However, after sending test emails containing the contents of the .cab =
I
> > was able to identify "pskavs.dll" as being the file that's being tagged
> > as being infected.
>=20
> The problem is that Panda still ships files that contain "plain
> viruscode", other vendors encrypt such files to avoid such false
> positives. So Clam is right somehow, it found the bytesequence of the
> virus in the file.
>=20
> Not as an excuse but to prove the fact, i tested the file with some
> other scanners, and got the following:
>=20
> Scanner 1: Win32:CTX
> Scanner 2: Frisk #2
> Scanner 3: W95/Sledge-A
>=20
> So you can see it=B4s not only a problem of ClamAV. We have similar
> problems with some vulnerability scanners, that contain plain
> exploitcode - it wouldn=B4t be hard to encrypt the code....
>=20
> However, i will include the file in my update.
>=20
> Maybe you want to report the problem to Panda too - imho it=B4s a problem
> that can be solved by them - and be sure they know about it already - if
> they read the mails that people send to their support.
>=20
> --
> Best regards,
> Christoph mailto:ccordes@clamav.net
> _______________________________________________
> http://lurker.clamav.net/list/clamav-users.html
>
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html