On Tue, May 17, 2005 at 07:45:27PM -0700, Jef Poskanzer said: > >> Hmm, ScanArchive is not set. It's commented out in both my clamd.conf > >> and in clamd.conf.default. Should I try uncommenting it? > > > >Well, there is your problem, presumably. > > Good guess, but after uncommenting ScanArchive and restarting everything, > I am still getting false positives. I captured another one and saved it > to http://www.acme.com/jef/tmp/cl/ This time the log entries start around > line 4164. Can you verify that it is looking inside the ZIP file > this time?
It certainly doesn't appear to. I am not sure why, though. Attached is a diff of the outputs of your run and a run here of clamscan (0.85, though). Maybe somebody else can spot the problem. -- -------------------------------------------------------------------------- | Stephen Gran | I was gratified to be able to answer | | [EMAIL PROTECTED] | promptly, and I did. I said I didn't | | http://www.lobefin.net/~steve | know. -- Mark Twain | --------------------------------------------------------------------------
--- logfile2.txt 2005-05-17 23:03:51.000000000 -0400 +++ logfile3.txt 2005-05-17 23:02:01.000000000 -0400 @@ -1,26 +1,31 @@ -LibClamAV debug: Recognized Raw mail file +LibClamAV debug: Recognized MBox file LibClamAV debug: Starting cli_scanmail(), mrec == 1, arec == 0 LibClamAV debug: in mbox() -LibClamAV debug: parseEmailFile -LibClamAV debug: parseEmailFile: check 'Received: by clamav-milter' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'From: [EMAIL PROTECTED]' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'To: [EMAIL PROTECTED]' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'Received-SPF: pass (gate.acme.com: domain of [EMAIL PROTECTED] designates 210.83.203.71 as permitted sender) receiver=gate.acme.com; client-ip=210.83.203.71; helo=127.0.0.1; [EMAIL PROTECTED]; x-software=spfmilter 0.96 http://www.acme.com/software/spfmilter/ with libspf-unknown;' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'SUBJECT: re: please' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'FROM: [EMAIL PROTECTED]' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'TO: [EMAIL PROTECTED]' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'DATE: [[ 星期三, 18 五月 2005 10:43:13 ]]' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'MIME-Version: 1.0' contMarker 0 fullline 0x0x0 -LibClamAV debug: parseEmailFile: check 'Content-Type: multipart/mixed; boundary="--------bound--"' contMarker 0 fullline 0x0x0 +LibClamAV debug: Recognized Raw mail file +LibClamAV debug: Extract attachments from email 1 +LibClamAV debug: parseEmailHeaders +LibClamAV debug: parseEmailHeaders: check 'From [EMAIL PROTECTED] Tue May 17 19:40:31 2005' +LibClamAV debug: parseEmailHeaders: check 'Received-SPF: pass (gate.acme.com: domain of [EMAIL PROTECTED] designates 210.83.203.71 as permitted sender) receiver=gate.acme.com; client-ip=210.83.203.71; helo=127.0.0.1; [EMAIL PROTECTED]; x-software=spfmilter 0.96 http://www.acme.com/software/spfmilter/ with libspf-unknown;' +LibClamAV debug: parseEmailHeaders: check 'Received: from 127.0.0.1 ([210.83.203.71])' +LibClamAV debug: parseEmailHeaders: check ' by gate.acme.com (8.13.4/8.13.4) with ESMTP id j4I2eI7g093539' +LibClamAV debug: parseEmailHeaders: check ' for [EMAIL PROTECTED]; Tue, 17 May 2005 19:40:25 -0700 (PDT)' +LibClamAV debug: parseEmailHeaders: check 'Message-Id: <[EMAIL PROTECTED]>' +LibClamAV debug: parseEmailHeaders: check 'SUBJECT: re: please' +LibClamAV debug: parseEmailHeaders: check 'FROM: [EMAIL PROTECTED]' +LibClamAV debug: parseEmailHeaders: check 'TO: [EMAIL PROTECTED]' +LibClamAV debug: parseEmailHeaders: check 'DATE: [[ 星期三, 18 五月 2005 10:43:13 ]]' +LibClamAV debug: parseEmailHeaders: check 'MIME-Version: 1.0' +LibClamAV debug: parseEmailHeaders: check 'Content-Type: multipart/mixed; boundary="--------bound--"' LibClamAV debug: parseEmailHeader 'Content-Type: multipart/mixed; boundary="--------bound--"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' multipart/mixed; boundary="--------bound--"' LibClamAV debug: messageSetMimeType: 'multipart' LibClamAV debug: mimeArgs = ' boundary="--------bound--"' LibClamAV debug: Add arguments ' boundary="--------bound--"' -LibClamAV debug: parseEmailFile: check '' contMarker 0 fullline 0x0x0 +LibClamAV debug: parseEmailHeaders: check 'X-Virus-Scanned: ClamAV version 0.85.1, clamav-milter version 0.85 on gate.acme.com' +LibClamAV debug: parseEmailHeaders: check 'X-Virus-Status: Clean' +LibClamAV debug: parseEmailHeaders: check '' LibClamAV debug: End of header information -LibClamAV debug: getline: buffer overflow stopped -LibClamAV debug: parseEmailFile: return +LibClamAV debug: parseEmailHeaders: return LibClamAV debug: in parseEmailBody LibClamAV debug: Parsing mail file LibClamAV debug: mimeType = 5 @@ -58,10 +63,16 @@ LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; filename="help.zip"' LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; filename="help.zip"' LibClamAV debug: Multipart 1: End of header information -LibClamAV debug: Part 1 has 0 lines -LibClamAV debug: The message has 2 parts +LibClamAV debug: boundaryStart: found --------bound-- in ----------bound-- +LibClamAV debug: Part 1 has 295 lines +LibClamAV debug: Now read in part 2 +LibClamAV debug: Multipart 2: About to parse folded header '----------bound----' +LibClamAV debug: parseEmailHeader '----------bound----' +LibClamAV debug: Multipart 2: End of header information +LibClamAV debug: Part 2 has 0 lines +LibClamAV debug: The message has 3 parts LibClamAV debug: Find out the multipart type (mixed) -LibClamAV debug: Mixed message with 2 parts +LibClamAV debug: Mixed message with 3 parts LibClamAV debug: Mixed message part 0 is of type 6 LibClamAV debug: Mixed message text part disposition "" LibClamAV debug: Mime subtype "plain" @@ -69,9 +80,28 @@ LibClamAV debug: Adding to non mime-part LibClamAV debug: Mixed message part 1 is of type 1 LibClamAV debug: messageToFileblob +LibClamAV debug: messageExport: numberOfEncTypes == 1 +LibClamAV debug: messageExport: enctype 0 is 2 +LibClamAV debug: blobSetFilename: help.zip +LibClamAV debug: fileblobSetFilename: mkstemp(/tmp/clamav-4241e0ab705945ab/help.zipXXXXXX) +LibClamAV debug: Saving attachment as /tmp/clamav-4241e0ab705945ab/help.zip8edtgG +LibClamAV debug: Exported 150714 bytes using enctype 2 +LibClamAV debug: 3 trailing bytes to export +LibClamAV debug: base64chars = 3 (@ @ @) +LibClamAV debug: fileblobDestroy: help.zip +LibClamAV debug: Mixed message part 2 is of type 0 +LibClamAV debug: No mime headers found in multipart part 2 +LibClamAV debug: Adding to non mime-part +LibClamAV debug: textAdd: count = 5 LibClamAV debug: Save non mime and/or text/plain part LibClamAV debug: blobSetFilename: textpart -LibClamAV debug: fileblobSetFilename: mkstemp(/var/tmp//clamav-a3a502424e4d34e5/textpartXXXXXX) -LibClamAV debug: Saving attachment as /var/tmp//clamav-a3a502424e4d34e5/textpart1TZ1s3 +LibClamAV debug: fileblobSetFilename: mkstemp(/tmp/clamav-4241e0ab705945ab/textpartXXXXXX) +LibClamAV debug: Saving attachment as /tmp/clamav-4241e0ab705945ab/textpartM3gEk7 LibClamAV debug: fileblobDestroy: textpart LibClamAV debug: cli_mbox returning 0 +LibClamAV debug: Recognized ZIP file +LibClamAV debug: in scanzip() +LibClamAV debug: Zip: help.doc .exe, crc32: 0x3fcc001f, encrypted: 0, compressed: 150514, normal: 155156, method: 8, ratio: 1 (max: 250) +LibClamAV debug: Recognized DOS/W32 executable/library/driver file +LibClamAV debug: Worm.Bagz.D found in descriptor 7. +LibClamAV debug: Zip: Infected with Worm.Bagz.D
pgpB6SYVbkbFu.pgp
Description: PGP signature
_______________________________________________ http://lurker.clamav.net/list/clamav-users.html
