The other day, the following worm slipped through my clamav scanner:
Worm.Bagle.Gen-rarpwd
At first, I thought it was a new rar file, and tried to submit it. This variant had already been input into the database. Figuring that I was just out-of-date, I ran freshclam.
I decided to grab the file and run clamscan on it -- just to make sure that it's being caught. Upon a regular scan, clamav (clamscan) segfaults. I assumed that this is due to the file being password protected -- so I re-ran it with the --disable-archive option and sure enough, the worm was found:
[EMAIL PROTECTED] root]# clamscan --disable-archive -i first_part.rar
first_part.rar: Worm.Bagle.Gen-rarpwd FOUND
----------- SCAN SUMMARY -----------
Known viruses: 41298
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.782 sec (0 m 0 s)
Problem is, when I send this file via email, ClamAV doesn't detect it. I assume it's segfaulting each time it scans this file.
What's the best thing I can do at this point? I want ClamAV to open archives when possible, but I don't want it to segfault and allow password protected archived worms through.
Thanks in advance,
Ethan Pinkert
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
