On Mon, 21 Mar 2005, Nigel Horne wrote: > Subject: Re: [Clamav-users] Attachment not identified as attachment/bad > jpeg > > Background - Daniel has emailed the files to me ] > > > > Send me a copy of the mail which is incorrectly scanned and I'll look > > > into it. > > > > Attached is a bad jpeg and a good jpeg-version of the mail file in > > question. > > > The me2.jpeg files are different, a quick look with vi will show this. Using > vi > I yanked the base64 me2.jpeg lines (about 1420 of them) from the 'good' to the > 'bad' file and now the virus is found in both. > > z.badjpeg: Worm.Bagle.AC FOUND > z.goodjpeg: Worm.Bagle.AC FOUND
Perhaps I was somewhat unclear; The two mail file are identical, _except_ for the jpeg attachment. "z.goodjpeg" contains a jpeg I added myself, to see if it was the jpeg parsing of clam which caused it not to identify the last attachment. So far, my claims stand. If you diff the files, you will see that the ONLY thing that differs is the jpeg. Again; why does not clamscan find the virus when a mail file contains a bad jpeg? I doubt this is by design... BTW, the bad jpeg is from the original virus mail. //D _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
