Hello! I have some strange problem.
I have files from CGPro Queue with viruses. Drweb can find viruses in those files. ClamAV can too but with some modications. Like that. Original file. CLAMAV cannot find a virus. <-------------------------------------------> P I 18-08-2004 07:12:53 0000 ____ ____ <[EMAIL PROTECTED]> S SMTP [212.57.189.194] R W 18-08-2004 07:12:53 0000 ____ _FY_ <[EMAIL PROTECTED]> Received: from [212.57.189.194] (HELO on-line.ru) by on-line.ru (CommuniGate Pro SMTP 4.2) with ESMTP id 7700997 for [EMAIL PROTECTED]; Wed, 18 Aug 2004 11:12:53 +0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Wed, 18 Aug 2004 13:12:54 +0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal Message-ID: <[EMAIL PROTECTED]> This is a multi-part message in MIME format. ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary="----=_NextPart_001_001C_01C0CA80.6B015D10" ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> <a href=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0>www.on-line.ru/inbox/auto-000005185020/read.php?sessionid-13465</a > <iframe src=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> ------=_NextPart_001_001C_01C0CA80.6B015D10-- ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<[EMAIL PROTECTED]> <THERE WAS MIME PART WITH VIRUS> ------=_NextPart_000_001B_01C0CA80.6B015D10-- <-------------------------------------------> Modified file. CLAMAV can find virus in file <-------------------------------------------> Received: from [212.57.189.194] (HELO on-line.ru) by on-line.ru (CommuniGate Pro SMTP 4.2) with ESMTP id 7700997 for [EMAIL PROTECTED]; Wed, 18 Aug 2004 11:12:53 +0400 From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Mail Delivery (failure [EMAIL PROTECTED]) Date: Wed, 18 Aug 2004 13:12:54 +0600 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_001B_01C0CA80.6B015D10" X-Priority: 3 X-MSMail-Priority: Normal Message-ID: <[EMAIL PROTECTED]> This is a multi-part message in MIME format. ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: multipart/alternative; boundary="----=_NextPart_001_001C_01C0CA80.6B015D10" ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_001C_01C0CA80.6B015D10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff>If the message will not displayed automatically,<br> follow the link to read the delivered message.<br><br> Received message is available at:<br> <a href=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0>www.on-line.ru/inbox/auto-000005185020/read.php?sessionid-13465</a > <iframe src=3Dcid:[EMAIL PROTECTED] height=3D0 width=3D0></iframe> <DIV> </DIV></BODY></HTML> ------=_NextPart_001_001C_01C0CA80.6B015D10-- ------=_NextPart_000_001B_01C0CA80.6B015D10 Content-Type: audio/x-wav; name="message.scr" Content-Transfer-Encoding: base64 Content-ID:<[EMAIL PROTECTED]> <THERE WAS MIME PART WITH VIRUS> ------=_NextPart_000_001B_01C0CA80.6B015D10-- <-------------------------------------------> As You can see the difference is only first 4 lines. <-------------------------------------------> P I 18-08-2004 07:12:53 0000 ____ ____ <[EMAIL PROTECTED]> S SMTP [212.57.189.194] R W 18-08-2004 07:12:53 0000 ____ _FY_ <[EMAIL PROTECTED]> <-------------------------------------------> My suggestions. If something is before "Received: " in email letter - CLAMAV cannot find a virus. Or something like that. I have tested those files by online checker at http://www.gietl.com/test-clamav/. Same thing. It can find a virus only in modified file. That header modification is made by CommuniGatePro - MTA from stalker. CGPro use this header in it's own internal needs. It newer comes out of the server. But ClamAv check files when they are inside queue of the CGPro. So the problem persist. С уважением, Владимир Менделевич Сетевой отдел компании "1С-Рарус" UIN:9244669 Phone:+7(095)250-6393 ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
