Sorry for the crosspost, but I'm not really sure where this one belongs. I'm trialling amavisd-new (-p9) and clamav (up to and including 0.73) by running it over the virus archive created by our existing amavisd-new/uvscan setup. It seems that there is a category of messages that uvscan catches but clamav misses.
If a forwarded message, or digest, or similar message contains a virus with its original MIME boundaries, neither amavisd nor clamav seems to attempt to interpret it as a separate MIME part. The message containing the virus is either not a multipart message or has its own MIME boundaries. I understand that a compliant client would not attempt to interpret this as an attachment, but I'd rather see my scanner be more aggressive in looking for attachments than trust that all the MUAs behind me are well-behaved. For example, the following was caught as a virus by uvscan, when it appeared inline in a message digest. Clamav missed it. Amvisd-new didn't save it as a separate file in the /tmp/amavis/<foo>/parts directory. ----------luqzgpxlkepsvagxljox Content-Type: application/octet-stream; name="Info.exe" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Info.exe" TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA [rest of virus payload snipped] Would it make sense to look for, say, sequences of Base64 encoding even when there is no MIME context and try and treat them as message parts? cheers rob c ------------------------------------------------------- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
