Re: [Clamav-users] Clamav and the CR Vulnerability

Mon, 08 Nov 2004 17:49:58 -0800 

On Mon, Nov 08, 2004 at 01:52:42PM -0500, Jason Frisvold wrote:
>Looks like something is stripping the virus out before it ever hit clamav.. 
>However, I did get a copy with the virus in it, and clamscan doesn't detect
>it...  I'm not sure why though ...

Okay, this is getting strange. I've taken the raw email and run that by
clamscan again, with and without the --mail flag, and in both cases it
successfully detects the Eicar test signature.

The only way I can get it to *not* detect the Eicar test signature is to
edit the file so that only the attachment text itself is in the file; that
is the file only contains:

  begin 600 eicar.com
    :
    :
  end

Where the ":" are removed lines. The Eicar virus is still found if you
cut the file down to just the following:

  From [EMAIL PROTECTED]  Tue Nov  9 01:32:06 2004

  begin 600 eicar.com
  M6#5/(5`E0$%06S1<4%I8-30H4%XI-T-#*3=])$5)0T%2+5-404Y$05)$+4%.
  85$E625)54RU415-4+49)3$4A)[EMAIL PROTECTED]"H@
  `
  end

clamscan fails to find the Eicar virus if you remove the "From " header at
the start of the file; to be fair this does make sense. Now the one
interesting thing here is that I'm dealing with an mbox format email and
I'm guessing from the file name you postsed that you used a message from
a maildir format mail spool. That said, the first test I posted about also
used a message from a maildir format mail spool. In a test I've just done
clamscan finds the Eicar virus if you replace the "From " header above
to a suitable "To:" one instead.

I think what it comes down to is what it takes ClamAV to see the file as
a mail message rather than the uuencoded text; if it treats it as a mail
message then it'll decode the uuencoded text and find the Eicar virus
within. However if it does not treat it as a mail message then it will
not decode the uuencoded text and thus not match the Eicar virus signature
to the file. To me this is understandable since the uuencoded file by itself
is not a risk since it takes user interaction to get the file out. However
within a mail message there is a higher risk that a user can be conned into
opening the attachment.

FWIW I'm running the same version of clamscan with the same virus signature
set on Solaris 9 (both SPARC and x86): 

  % clamscan -V
  ClamAV 0.80/578/Mon Nov  8 14:26:49 2004
  %

-- 
    Simon the stressed        http://www.bpfh.net/           [EMAIL PROTECTED]
                 Chocolate is *not* a substitute for sleep
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

Reply via email to