On Wed, 03 Mar 2004 at 7:50:34 -0500, jef moskot wrote: > On Wed, 3 Mar 2004, Tomasz Papszun wrote: > > Our signatures Worm.Bagle.F-zippwd* are based on the "real" contents of > > mail messages (stream of characters as they are), while amavisd-new (and > > probably amavis) "divide" messages to parts and decode them separately, > > hence ClamAV doesn't get the original stream of chars. > > Does that explain why clamscanning a mailbox file without the --mbox > option will produce hits?
In case of these Worm.Bagle.F-zippwd* signatures - yes. > By the way, is there a tool that would help me clean these mailboxes when > I notice they're infected? I've been manually scanning inboxes from time > to time and then (mostly) manually removing the viruses, which is a bit > tedious. > > mboxgrep is a nice little utility that helps automate things a little, but > clamscan's reporting when it finds a virus in a mail file doesn't seem to > help you ID which message it is, so it's of limited use. I seem to remember some messages with tips for this... but I don't remember the details. If you don't manage to find them in the archive, let me know and I'll try to search for them. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
