# ClamAV does not detect Netsky viruses!

## petterg

I'm using clamav on my private mailserver and clamwin on my windows desktop.

Asof version 0.81 I've made commentes about clamav not detecting my Netsky D infected testmail.

Yesterday I learned the hard way that clamwin does not detect "w32.netsky@mm".

Version 0.80 (and prior) did detect the Netsky D infected testmail, so this is some bug that has turned up lately. I kept on using version 0.80 until resently. It turned out that after upgrading qmailscanner to version 1.26 the Netsky D mail does not get detected even when using clamav 0.80, so I upgraded clamav as well.

I've submited my testmail to the clamav developers twice - no response. Feels like they ignore the problem.

Does anyone else have this problem?

Any recomandations of other AV software under GPL license that will work with qmailscanner?

-pg

----------

## mnich

Hi,

are you sure your mails are going through clamav? I'm using clamav-0.86.2 with amavisd-new-2.3.2 and everything works fine.

----------

## petterg

Well, all the other virusinfected testmails are detected.

Have you tested with netsky?

----------

## mnich

No, I didn't test it with netsky.

It's hard to say what's the problem. Maybe old virus database? Do you run freshclam? Does it update files daily.cvd and main.cvd? Those files are in /var/lib/clamav directory on my system.

----------

## petterg

Database is updated at least once or twice a day.

That this is a problem on all gentoo boxes I've tried it on

+ also a problem in the windows version

+ only problem with Netsky viruses

- NOT a problem on version <=0.80

= makes me believe this is not related to configuration, and should be a problem for more users than just me!

----------

## darkphader

Is ScanRAR enabled in your clamd.conf?

edit:

Might be a good isdea to bolck encrypted archives as well (also not enabled by default).

edit2:

If you scan the file manually with clamscan (as opposed to using clamd - sorry this is my assumption) is the virus caught?

----------

## petterg

Some guy from Surasoft contacted me and got a copy of the infected mail... it doesn't get detected in his clamav install eigther!

If anyone else would like to test - here is a copy of the mail I use for testing

http://home.no.net/~pgunner/netsky/netskyd_mail.tar.bz.obs

It's picked from the imap-server (maildir). Tar'ed, bzip'ed and added .obs to it's name.

Handle it with care. It mad some mess at the company I got it from.

----------

## golloza

When scanning the bare mail file with the recent updates (main: 33, daily: 1017), clam(d)scan didn't detect a virus.

However, I extracted the attachment and had ClamAV scan it again whereon it detected "Worm.SomeFool.Gen-1".

Here is the archive with the extraced attachment: http://home.arcor.de/golloza/files/netsky-somefool.tar.bz2

----------

## asiobob

Just downloaded the file. clam detects the file even the compressed file. Of course not from the mail sample. Interesting.

----------

## nobspangle

I'm running 0.86.2 and the worm is detected correctly from the sample message.

----------

## asiobob

how are you scanning it? Directly or via mail server

----------

## darkphader

It's detected here as well, by clamscan (86.2) directly and by clamd (86.1 is on the mail server) when sent as an attachment in a mail message. Mail server uses postfix/amavis/clamd.

EDIT:

The above was using the bz2 as it was downloaded. If expanded, clamscan only finds the virus in the file named "attachment", not in "attachment-base64" or "netskyd_mail".

If I attach these files to separate email messages, the virues is found with "attachment" and "attachment-base64", but not in "netskyd_mail".

----------

## nobspangle

detected by my mail server running postfix and amavisd-new

 *Quote:*   

> A virus was found: Worm.SomeFool.Gen-1
> 
> A banned name was found:
> 
>   multipart/mixed | application/octet-stream,.exe,.exe-ms,document_full.pif
> ...

 

----------

## petterg

Anyone managed to detect this virus from the mail using qmailscanner?

----------

## petterg

I still have this problem - Upgraded to clamav 0.87 now.

The virus is detected if the archive is attached to a new mail.

The virus is detected if the file "attachment" from the archive is attached to a new mail.

The virus is not detected from the mail sample. Could the mail sample contain some header the disables the detection?

----------

## -Craig-

Couldn't you ask the ClamAV people if they can help with this issue?

----------

