[Clamav-users] Re: Scanning BinHex Attachment

[Omer Faruk Sen]

It is not related with clamav but you can use ( I think your are using qmail 
and qscanq ..) Zabit "Content And Attachment Filter For qmail" that blocks 
email that has certain attachment and content. It does those things before 
mail gets scanned thus allowing a performance gain. By the way it is written 
in C and requires no patch to existing softwares (qmail or qscanq) 

The description of Zabit from website is: 

Zabit is a content/attachment filter for qmail. It's been coded in C 
language
for performance reasons. 

Zabit project consists of two main components, zabit and zabit-wrp. 

Zabit does content filtering and attachment control, whereas zabit-wrp is
designed to allow a virus-scanner to co-exist with zabit. 

The website for Zabit is http://www.enderunix.org/zabit/ 

Jeff Masud writes: 

Hello, 

  

I've been using clamdscan with qmail-scanner for quite some time now.
Recently we have noticed a couple of attachments which were xxx.gif.pif were
allowed through the scanning system, by doing some testing, we were able to
determine this was because the attachment was binhex encoded.   

  

Here's an example email that the *.pif which it didn't catch. 

  

clamscan / ClamAV version 0.74 

  

Known viruses: 22220 

  

bash-2.05a$ clamdscan 1088626977.9122.webmail,S\=20149\:2,  

/home/vpopmail/domains/sudjam.com/jeff/Maildir/cur/1088626977.9122.webmail,S
=20149:2,: OK 

  

----------- SCAN SUMMARY ----------- 

Infected files: 0 

Time: 0.008 sec (0 m 0 s) 

bash-2.05a$ 

  

http://pobox.thezit.com/~jmasud/virusexample/1088626977.9122.webmail.txt 

  

I know clamav will catch it if I upload just the attachment to the scanner
test site, or if I email it back to myself using base64 encoding it gets
caught.  I've searched the archives for binhex and found nothing that would
help, besides from the docs and change log it appears binhex has been
implemented just not sure why it's not working for me. 

  

Can someone suggest what I should or could do to resolve this? 

  

Thanks 

Jeff 

  

  


-----------------------
Omer Faruk Sen
http://www.EnderUNIX.ORG
Software Development Team @ Turkey
http://www.Faruk.NET
For Public key: http://www.enderunix.org/ofsen/ofsen.asc
******************************************************** 

First Turkish FreeBSD book is out! Go check it.
Duydunuz mu! Turkiye'nin ilk FreeBSD kitabi cikti.
http://www.acikkod.com/freebsd.php 


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users