> On Fri, 05 Mar 2004 at 10:57:12 -0800, Dominic Mazzoni wrote: > > I'm also having the problem that Ron Snyder reported yesterday, > > Ron's problem regarded milter if I saw correctly, so it may > be something > diferent. Anyway...
I thought it was milter related, but now I'm not sure. It may just be the way that the milter is designed. They way I captured the samples that got through was to modify an extension munging script that we have on our MX gateway, so that any message that had the base64 signature of a zip file got copied to a special directory. I've then been checking that directory every so often for zip files that look suspicious. The three zipped files that got through all came as bounced messages, but because the bounce message headers don't have proper mime headers, the base64 encoded virus doesn't properly show up as an attachment. I am presuming that this is why clamav-milter isn't finding it, as well as the reason why clamscan --mbox doesn't find it either. (I know it is actually Sco.A because if I go through the steps to actually decode it, clamscan does recognize it.) So I guess my concerns are resolved, as long as clamav-milter and clamscan are actually supposed to be ignoring encoded files that don't have proper mime parts. -ron > > > where clamscan will mark a file as OK, but if I extract the > > attachment (just by base64-decoding it, NOT by unzipping it too), > > then clamscan properly recognizes the virus (in this case, SCO.A). > > > > Actually clamscan seems to be having this problem with every > > single SCO.A virus I get, though I'm not sure it's limited to > > just this one. > > > > I saved the email (directly out of my Imap Maildir) as "email", > > and the zip attachment (containing SCO.A) as "document.zip". > > Here's what I get with clamscan (version 0.67, after running > > freshclam): > > > > > clamscan email > > email: OK > > One _must_ use option --mbox (-m) with clamscan to scan mail files! > > > Any suggestions? Note that clamscan is successfully finding other > > viruses in my inbox, but it's missing all of the SCO ones, as > > This is a little strange (I mean: that it finds other viruses without > --mbox) but some viruses are detectable even without enabling > --mbox, so > it's possible. > > > far as I can tell. I have over 200 of them saved in a separate > > directory and clamscan misses all of those. > > Just use --mbox and tell us what happens. > > -- > Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only > [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. > [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner > > > ------------------------------------------------------- > This SF.Net email is sponsored by: IBM Linux Tutorials > Free Linux tutorial presented by Daniel Robbins, President and CEO of > GenToo technologies. Learn everything from fundamentals to system > administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click > _______________________________________________ > Clamav-users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/clamav-users > ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users