[AMaViS-user] Passed UNCHECKED
Mark Messier
0, 0, 0, 0, 0, 0, 84, 312
That's 84 yesterday and 312 so far today since midnight.
The days with zero have real data, between 12k and 72k entries,
just no Passed UNCHECKED.
Assuming this is not legit email, what did I likely mangle yesterday
to start
getting this behavior?
I did not make an amavisd.conf change, it's got to be something in
my sql db.
Thanks,
-mark
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaVi...@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
MrC
> My amavis logs shows the following number of Passed UNCHECKED items:
>
> 0, 0, 0, 0, 0, 0, 84, 312
>
> That's 84 yesterday and 312 so far today since midnight.
>
> The days with zero have real data, between 12k and 72k
> entries, just no Passed UNCHECKED.
>
> Assuming this is not legit email, what did I likely mangle
> yesterday to start getting this behavior?
>
> I did not make an amavisd.conf change, it's got to be
> something in my sql db.
>
Amavis may be unable to check the message content for a variety of reasons,
such as encrypted archives, unsupported compression methods, etc. Eg:
amavis[19836]: (19836-04) ...
... (!)do_unzip: p002, unsupported compr. method: 99
... presenting full original message to scanners as
/var/amavis/tmp/amavis-20070226T083354-19836/parts/p005, 1 undecipherable
amavis[19804]: (19804-09) ...
... do_unzip: p002, 1 members are encrypted, none extracted, archive
retained
... presenting full original message to scanners as
/var/amavis/tmp/amavis-20070226T083012-19804/parts/p005, 1 undecipherable
What are you logs showing in the entries just prior to Passed UNCHECKED ?
MrC
Gary V
> My amavis logs shows the following number of Passed UNCHECKED items:
> 0, 0, 0, 0, 0, 0, 84, 312
> That's 84 yesterday and 312 so far today since midnight.
> The days with zero have real data, between 12k and 72k entries,
> just no Passed UNCHECKED.
> Assuming this is not legit email, what did I likely mangle yesterday
> to start
> getting this behavior?
> I did not make an amavisd.conf change, it's got to be something in
> my sql db.
> Thanks,
> -mark
Quite possibly an encrypted, and as of yet, undetected virus. I just got
one with a password protected .rar file. I suggest blocking .rar files. I
hope your users have not opened any of these. Mine claims to be a patch
for an undetected worm.
Gary V
Gary V
> Mark wrote:
>> My amavis logs shows the following number of Passed UNCHECKED items:
>> 0, 0, 0, 0, 0, 0, 84, 312
>> That's 84 yesterday and 312 so far today since midnight.
>> The days with zero have real data, between 12k and 72k entries,
>> just no Passed UNCHECKED.
>> Assuming this is not legit email, what did I likely mangle yesterday
>> to start
>> getting this behavior?
>> I did not make an amavisd.conf change, it's got to be something in
>> my sql db.
>> Thanks,
>> -mark
> Quite possibly an encrypted, and as of yet, undetected virus. I just got
> one with a password protected .rar file. I suggest blocking .rar files. I
> hope your users have not opened any of these. Mine claims to be a patch
> for an undetected worm.
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Email.Phishing.RB-686
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
I think you are getting this virus. I think it's more serious than
ClamAV thinks it is. I would say there's another storm a brewin'.
Clifton Royston
> > Quite possibly an encrypted, and as of yet, undetected virus. I just got
> > one with a password protected .rar file. I suggest blocking .rar files. I
> > hope your users have not opened any of these. Mine claims to be a patch
> > for an undetected worm.
>
> A-Squared Found nothing
> AntiVir Found nothing
> ArcaVir Found nothing
> Avast Found nothing
> AVG Antivirus Found nothing
> BitDefender Found nothing
> ClamAV Found Email.Phishing.RB-686
> Dr.Web Found nothing
> VBA32 Found nothing
>
> I think you are getting this virus. I think it's more serious than
> ClamAV thinks it is. I would say there's another storm a brewin'.
You should be able to stand down from the alert a bit:
ClamAV by default reports known standard phish emails as "viruses",
using this "Email.Phishing" format, to protect unsuspecting users from
getting all their money stolen. No other AV vendors do that, so far as
I know. If you don't want this behavior, ISTR you can disable those
signatures in current versions of ClamAV.
-- Clifton
--
Clifton Royston -- clif...@iandicomputing.com / clif...@lava.net
President - I and I Computing * http://www.iandicomputing.com/
Custom programming, network design, systems and network consulting services
Gary V
I inquired about this on the ClamAV list. It contains the Nuwar virus
but there are extenuating circumstances.
http://lurker.clamav.net/thread/20070425.232237.811c419f.en.html
Gary V
Mark Messier
UNCHECKED ?
Nothing... I'ld bump up the log level but I haven't had another one
since I emailed
this list. So, I think Gary V is correct, there was a small virus
storm. Maybe it
was just a test run :-)
Thanks,
-mark