Tomasz Kojm wrote:
On Thu, 4 Nov 2004 11:47:41 +0200 (CAT) Jim Holland <[EMAIL PROTECTED]> wrote:
The attachment is clearly malware (the message looks like a Klez
Clearly? How do you know that? Do you have a code analyser built into your eyes?
virus-free(fortunately it then goes on to block it because of the file name, but that is besides the point). Is the above report an error with ClamAV, or is the file actually harmless because of the broken PE header? Would it not be desirable for ClamAV to flag such files as being viruses (even if they are broken)?
The way libclamav works in the case of executable files is:
1. check the file against the signature database and stop scanning if virus is found
2. run PE parser (report broken executables; try to guess and unpack compressed files)
One additional question here:
I get several messages a day which are marked as broken executables by clamav but as I-Worm.NetSky.o by kav. AFAIK it's an alias to Worm.SomeFool.N. Why clam doesn't detect known signature and falls to step 2? (Maybe a part of signature is missing because a file it's broken?) I don't think clamav and kav use signatures which differs a lot, do they?
So it doesn't re-eject files without scanning just because they seem to be broken.
------------------------------------------------------------------------
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Thanks in advance.
Best Regards, -- George Chelidze _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
