On Fri, 2004-03-26 at 07:31, Tomasz Klim wrote: > > Im running a smtp server with f-secure and clamav. I have a problem with > > the f-secure server because it cant find the bagle virus in password > > protected zip files but clamav does. I e-mailed f-secure support about > > and they said to me it isnt any virus scanner today that can find virus > > in password protected zip files. And this answer confuses me because > > clamav does find the virus in the password protected zip file. And now > > my question, how is it possible for clamav to find a virus in a password > > protected file when f-secure support claims it isnt possible? > > Clamav doesn't find viruses in passworded zip archives. Clamav just > have in its virus database 2 special signatures, that treat _all_ > passworded zip archives as viruses. No matter what they contain. >
Thats not entirely accurate, or the complete picture. Vesion 0.70-rc has the config option: ArchiveDetectEncrypted which will then flag password protected zips and rars as a virus by returning Encrypted.RAR and Encrypted.Zip as the virus name. In addition to that, there is a generic Bagle.zippwd signature in the signature database that specifically catches Bagle encrypted zip archives by scanning the raw zip file. It is possible to do that due to some unusual characteristics of the zip format used. -trog
signature.asc
Description: This is a digitally signed message part
