does any one else run cleanmail from byteplant.com and use the clamwin AV for its AV scanning of email? i have noticed that ALOT of .doc and .pdf files are passing right through, at first i thought it was due to zeroday viruses, yet i just scanned the "cache" directory with mcafee and it found 325 email attachments containing viruses of the same 7-10 type virus. looking at the logs, clamwin is scanning these and showing them as "no virus detected"

i can run the cleanmail AV test, and it does "detect and stop" the EICAR test virus, but that seems to be the only thing it ever detects.

some of the virus names that mcafee shows them as:
W97M/downloader.ea
W97M/Downloader.dr
PDF/Phishing.gen.u
RDN/Generic.Downloader.x

i have contacted byteplant.com.... so far not very helpful.

any thoughts?

thank you for your time.

ClamWin uses the virus signatures and scan engine provided by the Clam Av project. I suggest you upload a few of those undetected virus files to Virus Total and see whether or not Clam AV detects them there. If they are not detected, then there is no Clam Av signature for them, and that is why ClamWin does not detect them.

Let us know how this goes. The current version of ClamWin is .99.4, which is a couple of versons behind Clam AV, but the ClamWin developers have not prepared an updated Windows port from the current Clam AV code because they thought the changes made by Clam Av did not affect detection in the ClamWin Windows environment. I suspect they are correct, but if those files are detected by Clam Av on Virus but not by ClamWin in real-life, then this may be a wrong assumption, so please let us now how it goes.

Regards,

ok i uploaded the file.eml to totalvirus.com and 11 out of 58 engines detected it. those being:

Arcabit HEUR.VBA.Trojan.e
Emsisoft Trojan-Downloader.Macro.Generic.H (A)
Fortinet VBA/Agent.KSB!tr.dldr
Ikarus Trojan.VBA.Agent
McAfee W97M/Downloader.ea
Microsoft Trojan:O97M/Sonbokli.A!cl
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
Qihoo-360 virus.office.qexvmc.1085
Tencent Heur.Macro.Generic.Gen.h
TrendMicro HEUR_VBA.O.ELBP
Zoner Probably W97Obfuscated


clamwin was not one of them. this explains why vipre also did not detect it on my exchange server. hence the four layers of AV in the domain. 2 of the four scanners are detecting these latest .doc and .pdf file viruses.

thank you. guess there is nothing further to do for clamwin but wait.

Good. Virus Total should send a copy of the undetected virus to those AVs that do not currently detect it, so Clam AV should get a copy, but it is up to the Clam Av team to prepare a signature for it--they don't always do so if they decide that a certain malware will not be received by Clam Av users. Clam Av also does not have any full-time personnel. That is the way it was when I worked as a sigmaker for them from 2009-2014, and it has probably not changed much since Cisco acquired Clam AV along with the other Sourcefire assets.

Some AVs devote more time to detecting executable files than they do the non-executable stuff like macros/PDFs/etc. Bitdefender used to be like that--I don't know about now, but the nonexecutable/script stuff seems to be the more dangerous. It is a good idea to have several AVs to safeguard email services. Many AVs now use the Bitdefender engine, so you do not want to load up too much on AVs like that.

Regards,