Gmail apparently using ClamAV

pykko · #1 May 4th, 2008, 09:53 AM

There were rumours here a while ago that GMail was using NOD32 as antivirus for scanning attachements for their free e-mail service.

Now apparently (with 99% certainty) they're using ClamAV.

And I'll tell you why... I've downloaded winrar 3.62 from official website (http://www.rarlab.com/rar/wrar362.exe) and wanted to attach it to my gmail account to send it. I was astonished to see a red label after that with the message: "Attachement can't be sent. It contains a virus".

I've scanned the file on virustotal.com and the only AV to detect it is ClamAV: Trojan.Agent-14588

The conclusion seems simple.

Baz_kasp · #2 May 4th, 2008, 10:05 AM

Actually a while back I was convinced they use Sophos....tried a few that only sophos detected and it wouldn't allow me to attach them.

I guess they can switch the engine used and we wouldn't notice..

RejZoR · #3 May 4th, 2008, 10:18 AM

They keep it hidden so it's harder to target it perfectly.

tiagozt · #4 May 4th, 2008, 01:26 PM

GMAIL blocks by extension (all *.EXE) too... but the advertisement is different... (illegal file attachment).
I still think they use Sophos...

jdenton · #5 May 4th, 2008, 04:40 PM

Or perhaps they use more than one.

Blocking exe's is one of the reasons I gave up on gmail. I then tried zipping up my files with a password, but gmail didn't allow that either. So it's goodbye gmail.

Macstorm · #6 May 4th, 2008, 05:33 PM

Quote:

Originally Posted by tiagozt

GMAIL blocks by extension (all *.EXE) too... but the advertisement is different... (illegal file attachment).

Well thats how i always thought it worked.
I never been able to attach any '.exe' file on Gmail.

Baz_kasp · #7 May 4th, 2008, 06:02 PM

Quote:

Originally Posted by jdenton

Or perhaps they use more than one.

Blocking exe's is one of the reasons I gave up on gmail. I then tried zipping up my files with a password, but gmail didn't allow that either. So it's goodbye gmail.

I just rar them and encrypt the filename

kinwolf · #8 May 4th, 2008, 09:26 PM

Quote:

Originally Posted by jdenton

Or perhaps they use more than one.

Blocking exe's is one of the reasons I gave up on gmail. I then tried zipping up my files with a password, but gmail didn't allow that either. So it's goodbye gmail.

Just zip them and rename the zip , it pass freely then. An encrypted zip still allows you to read the content, that's what GMail does, but if you rename the zip extension, it won't try.

Trespasser · #9 May 4th, 2008, 10:47 PM

I don't quite understand this...I send zip/rar files thru GMail all the time with no problems at all.

Later...

kinwolf · #10 May 4th, 2008, 10:53 PM

Quote:

Originally Posted by Trespasser

I don't quite understand this...I send zip/rar files thru GMail all the time with no problems at all.

Later...

Yeah, but you probably don't have any .exe files in those zip.

sir_carew · #11 May 4th, 2008, 11:39 PM

You can send .exe compressed in rar format with password and no problem.

#12 May 5th, 2008, 03:25 AM

@ pykko

I get this warning only:

Name: gmail_warning.png
Views: 1042
Size: 5.1 KB

As already written , GMail will block all kind of executable files.

Currently , ClamAV is still the one to detect a trojan in WinRAR.

Quote:

AhnLab-V3 2008.5.3.0 2008.05.02 -
AntiVir 7.8.0.11 2008.05.02 -
Authentium 4.93.8 2008.05.05 -
Avast 4.8.1169.0 2008.05.04 -
AVG 7.5.0.516 2008.05.05 -
BitDefender 7.2 2008.05.05 -
CAT-QuickHeal 9.50 2008.05.03 -
ClamAV 0.92.1 2008.05.05 Trojan.Agent-14588
DrWeb 4.44.0.09170 2008.05.04 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5755 2008.05.03 -
Ewido 4.0 2008.05.04 -
F-Prot 4.4.2.54 2008.05.04 -
Fortinet 3.14.0.0 2008.05.04 -

...

With such strong rules , they don't even need antivirus but ...

Google have special contracts with Symantec and they uses Symantec AV on the machines used by their employees . Google offers Norton in their GooglePack . Why not use the same AV in their GMail ?

PiCo · #13 May 5th, 2008, 04:03 AM

I attached the eicar string to one e-mail and got this from gmail:

Quote:

Technical details of permanent failure:
PERM_FAILURE: Gmail tried to deliver your message, but it was rejected by the recipient domain. The error that the other server returned was: 554 554 5.7.1 virus Eicar-Test-Signature detected by ClamAV - http://www.clamav.net. We recommend contacting the other email provider for further information about the cause of this error. Thanks for your continued support. (state 17)

edit://Actually this proves gmail is NOT using ClamAV. I sent the eicar virus to a gmail account and another account. The other account is using ClamAV and rejected the mail, gmail didn't reject it!

#14 May 5th, 2008, 04:15 AM

Quote:

Originally Posted by PiCo

The other account is using ClamAV and rejected the mail, gmail didn't reject it!

GMail placed it in its SPAM folder , this is where known infected stuff is placed

PiCo · #15 May 5th, 2008, 04:23 AM

Quote:

Originally Posted by HiTech_boy

GMail placed it in its SPAM folder , this is where known infected stuff is placed

No it came right in to my inblox. I can open it and view the eicar string.

Firecat · #16 May 5th, 2008, 06:05 AM

According to this:

http://semanticvoid.com/blog/2005/12...us-test-drive/

Gmail actually uses Symantec technology. Go figure.

chrisretusn · #17 May 5th, 2008, 10:07 AM

Make sense to me. Norton Security Scan is part of Google Pack.

#18 May 5th, 2008, 11:04 AM

Quote:

Originally Posted by Firecat

Gmail actually uses Symantec technology. Go figure.

I knew it

lordpake · #19 May 5th, 2008, 02:07 PM

Quote:

Originally Posted by Firecat

According to this:

http://semanticvoid.com/blog/2005/12...us-test-drive/

Gmail actually uses Symantec technology. Go figure.

And even the URL tells that the post is 2+ years old

So hardly valid information anymore.

tiagozt · #20 May 5th, 2008, 02:52 PM

Quote:

Originally Posted by jdenton

Or perhaps they use more than one.

Blocking exe's is one of the reasons I gave up on gmail. I then tried zipping up my files with a password, but gmail didn't allow that either. So it's goodbye gmail.

For me it's one of the reasons I use GMAIL. Despite spam protection, virus protection, big space, stability, POP3 access and other...

But to send samples by e-mail (actually it's not necessary because I send only to FS using website) I need to use other service that doesn't use AV.

tiagozt · #21 May 5th, 2008, 02:55 PM

Quote:

Originally Posted by HiTech_boy

@ pykko

Google have special contracts with Symantec and they uses Symantec AV on the machines used by their employees . Google offers Norton in their GooglePack . Why not use the same AV in their GMail ?

Because GMAIL offers a good AV protection for its users and not a "everything passes" AV like Symantec... :|

EsoxLucius · #22 May 9th, 2008, 09:48 AM

What do you think about using their own sollution??

pykko · #23 May 9th, 2008, 10:03 AM

Quote:

Originally Posted by EsoxLucius

What do you think about using their own sollution??

Do they plan to launch a new AV ?
Hmm... and if it's their own solution it must be a good one. I don't think they "play" with a weak AV engine pretending to offer AV protection.

emperordarius · #24 May 9th, 2008, 10:41 AM

Maybe using a multi engine av?

EsoxLucius · #25 May 9th, 2008, 10:48 AM

I was trying to point out that google has the necessary resources to create it's own AV for email scaning. They could have also bought some parts from certain solutions and integrated them with other parts of their own engines.

Let's not forget that Google File System and other "home-brewed" parts of google.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search