Byteplant Forum

Home » CleanMail Support » CleanMail Server Talk » http://www.webmail.us/testvirus
http://www.webmail.us/testvirus [message #1077] Wed, 16 March 2005 22:33
the_stranger
Messages: 8
Registered: March 2005
Junior Member
I went to this address to test NoSpamToday system, which I'm pretty happy with. I found that 3 emails got through, one had an embedded virus which wasn't detected by Clam or Norton. The other 2 were .dat files which also were not detected. There were 25 emails in the test only 3 got through. That's pretty good but I'm looking for 100% effectiveness.

Here's the test address.

http://www.webmail.us/testvirus

Any ideas?
Re: http://www.webmail.us/testvirus [message #1078 is a reply to message #1077] Thu, 17 March 2005 14:16 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
the_stranger wrote:

> I went to this address to test NoSpamToday system, which I'm
> pretty happy with. I found that 3 emails got through, one had
> an embedded virus which wasn't detected by Clam or Norton. The
> other 2 were .dat files which also were not detected. There
> were 25 emails in the test only 3 got through. That's pretty
> good but I'm looking for 100% effectiveness.
>
> Here's the test address.
>
> http://www.webmail.us/testvirus
>
> Any ideas?

Which test# exactly got through ?



Customer Support
Byteplant GmbH
Re: http://www.webmail.us/testvirus [message #1079 is a reply to message #1077] Wed, 23 March 2005 06:31 Go to previous message
Heidner
Messages: 121
Registered: February 2005
Senior Member
For me they are:

Test #4, Eicar virus sent using uuencoding

begin 600 eicar.com
M6#5/(5`E0$%06S1<4%I8-30H4%XI-T-#*3=])$5)0T%2+5-404Y$05)$+4%.
75$E625)54RU415-4+49)3$4A)$@K2"H`
`
end

Test #16, Eicar string in HTML, to ensure that your mail server scans HTML segments

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* -- attempts to view the html source result in Symantec auto protect quaratining the file.


Test #24,Test for the "Partial (Fragmented) Vulnerability". This does not include the Eicar virus, however your mail server should still block this since a virus can use this technique to break itself into multiple emails, bypassing virus scanners, and reassembling itself in your inbox. (attachment can be opened by virtually any mail program)

Test 24 produces an e-mail which has a mapi body error. The message contains the following attachment:

--=====================_307115168==_
Content-Type: text/plain; charset="us-ascii"; format=flowed

This message was sent to you because you or someone you know is testing your mail server's virus scanner at: http://www.webmail.us/testvirus

This test message contains:

Test #24 (non-virus): Test for the "Partial (Fragmented) Vulnerability". This does not include the Eicar virus, however your mail server should still block this since a virus can use this technique to break itself into multiple emails, bypassing virus scanners, and reassembling itself in your inbox. (attachment can be opened by virtually any mail program)

If your mail server's virus scanner did not detect this email, it allows some viruses through! Please note: This test message uses the EICAR test virus, which is completely benign and contains no viral code. For more information see: http://www.eicar.org

--------------------------------------------------------------------------------------------------------------------

I think I am more concerned about test 4 and 16 then #24. FWIW, I am running CLAMAV scanning in bound, then Symantec autoprotect, and Bitdefender scanning the information store, plus BlackIce server looks at inbound packets before NST ever sees them.... So really #4 and #16 have made it past four barriers.... three of which are antivirus scanners... so it may be possible that the test #4 string is actually invalid EICAR tests. Symantec autoprotected when trying to look at the mail containing test #16.

As for where the viruses were stopped. BlackIce saw eight - and may have blocked several. ClamAV blocked some, Symantec Corporate AV - autoprotect blocked several - including one or two that Clam was trying to analyze. Bit Defender nailed a couple of more..
Re: http://www.webmail.us/testvirus [message #1080 is a reply to message #1079] Wed, 23 March 2005 12:43 Go to previous message
support
Messages: 919
Registered: April 2004
Senior Member
We have seen ourselves that when you have more than one scanner in the filter chain, even commercial scanners leave something behind for clamav to find, or if configured the other way round, clamav leaves something for the commercial scanner, and you never know what is still passing through.

Maybe virus scanners in general are not doing particularly well when parsing MIME structures.



Customer Support
Byteplant GmbH
Re: http://www.webmail.us/testvirus [message #1081 is a reply to message #1077] Wed, 23 March 2005 22:12 Go to previous message
Heidner
Messages: 121
Registered: February 2005
Senior Member
I agree 100%. That why I've got so many layers looking for worms/viruses. But NST did block 24 of 27. And the three that did make it past NST, also made it pass the three other checkers. For at least two of them I wonder if the test pattern isn't at fault....

reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete TESTVIRUS.org reject/delete E-Mail Security Test reject/delete E-Mail Security Test reject/delete E-Mail Security Test reject/delete E-Mail Security Test reject/delete E-Mail Security Test reject/delete E-Mail Security Test reject/delete E-Mail Security Test
Previous Topic: Sending mail
Next Topic: HAM Words
Goto Forum:
  


Current Time: Sun Dec 04 00:52:03 CET 2016