We're seeing the same thing with clamd from 20031104... and we're also
seeing a case where we have a non-corrupted ZIP file containing an
EXE infected with Mimail.G, but when scanning the ZIP file, clamd says
it's OK.
Ed
On Wed, 5 Nov 2003, Kevin Spicer wrote:
> I'm cross-posting this message from the MailScanner mailing list because
> I think folks here might be interested in it. If anyone needs a copy of
> that zip please let me know.
>
> Kevin
>
> On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote:
> > Hi everyone,
> >
> > No sooner do we (well...Julian) come out a workaround for the extra status
> > line that ClamAV was spitting out than another virus using similar zip-header
> > trickery to sneak through our scanners.
> >
> > Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely gets a
> > simple "OK" from clamscan, and the virus goes right through. After some
> > experimenting, I've figured out that the virus will happily unzip with the
> > console unzip tool, but complains with the following message:
> >
> > # unzip readnow.zip
> > Archive: readnow.zip
> > warning [readnow.zip]: 3 extra bytes at beginning or within zipfile
> > (attempting to process anyway)
> > file #1: bad zipfile offset (local header sig): 3
> > (attempting to re-compensate)
> > extracting: readnow.doc.scr
> >
> > After reading the man page for clamscan, I came across an option that disables
> > clamscan's internal archive tools. When I typed "clamscan --disable-archive
> > readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G
> > FOUND".
> >
> > Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and
> > removing the "--unzip" option and replacing it with "--disable-archive"? Am I
> > on the right track?
> >
> > Thanks,
> > Chris
> > --
>
>
>
>
>
> BMRB International
> http://www.bmrb.co.uk
> +44 (0)20 8566 5000
> _________________________________________________________________
> This message (and any attachment) is intended only for the
> recipient and may contain confidential and/or privileged
> material. If you have received this in error, please contact the
> sender and delete this message immediately. Disclosure, copying
> or other action taken in respect of this email or in
> reliance on it is prohibited. BMRB International Limited
> accepts no liability in relation to any personal emails, or
> content of any email which does not directly relate to our
> business.
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: SF.net Giveback Program.
> Does SourceForge.net help you be more productive? Does it
> help you create better code? SHARE THE LOVE, and help us help
> YOU! Click Here: http://sourceforge.net/donate/
> _______________________________________________
> Clamav-users mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/clamav-users
>
Ed Phillips <[EMAIL PROTECTED]> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
