> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Flynn > Sent: 6. maj 2004 10:46 > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Re: There is something I dont get here ... > > > There are many ways to do this - using the --mbox option should detect > > the virus if the _full_ e-mail is scanned by ClamAV. > > Well - let me clarify this situation very carefully : > > (v0.70)-clamscan --mbox does *NOT* recognized the _full_ email as a virus. >
Sorry, but this is not true.
If I add the missing header line:
---snip, header sample---
Received: from some.domain.com (localhost [127.0.0.1])
by localhost (Postfix) with ESMTP id CD9322FB24
for <[EMAIL PROTECTED]>; Sun, 14 Mar 2004 06:09:04 +0100 (CET)
---snip---
The result is:
---snip---
[EMAIL PROTECTED] virus]# clamscan --mbox ./virus.eml
./virus.eml: Worm.SomeFool.Gen-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 21425
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 1.656 sec (0 m 1 s)
--snip---
> snapshot-clamscan --mbox does *NOT* recognized the _full_ email as a
> virus.
> clamscan --mbox does *NOT* recognized the included corrupted email as
a
> virus.
> clamscan does recognized the included script (the virus itself) as a
> virus.
>
Hmm, again I'm able to detect the virus.
Extract of the binary:
---snip---
[EMAIL PROTECTED] virus]# reformime -e -s 1.2 < virus.eml > virus.bin
[EMAIL PROTECTED] virus]# clamscan ./virus.bin
./virus.bin: Worm.SomeFool.Gen-1 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 21425
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 1.358 sec (0 m 1 s)
---snip---
>
> Honest: I am convinced we face a bug here.
>
I'm not, but you're welcome to submit the _full_ e-mail (I suspect the
sample I'm looking at is only a partial bounced sample) :-)
Best regards,
Diego d'Ambra
smime.p7s
Description: S/MIME cryptographic signature
