On Fri, May 20, 2005 at 01:14:34AM +0300, Apostolos Papayanakis wrote:
> I have found a certain kind of mime structure and headers, that
> causes clamd to produce false negatives errors. The debugging outpout of
> clamd reports "LibClamAV debug: getline: buffer overflow stopped" and the
> viral attachment is not opened at all. (See
[...]
> If the same mail is in mbox format (the only difference is in the
> first line "From "), the attachements are opened normally, and Worm.Bagz.D
> is found.
>
> A small collection of the viral mails I have received, can be found
> at: http://users.auth.gr/~apap/clamav/viruses-that-bypass-clamav-0.85.1.mbox.
> I receive tens of them every day. They have all been sent to
> [EMAIL PROTECTED] (this is forwarded to my INBOX) and
> originate from unqualified addresses from a specific network. The attacments
> are BASE64 encoded in very long lines (2048 bytes each). No other user on my
> servers (17000 of them active) has reported to get these viruses. All this
> is very puzzling.
For what it's worth, I have a sample of Bagz.C, from nov 2004, that also
shows the same layout, and behaviour of clamav. If I remove the initial
"From " line, the virus is not recognised and --debug output shows the
"buffer overflow stopped".
I suppose that this is a bug? Is clam supposed to recognise emails even
without the leading "From " line?
The reason I ask is: in MIMEDefang, there is this entry in the manpage:
md_copy_orig_msg_to_work_dir_as_mbox_file()
Normally, virus-scanners are passed only the unpacked, decoded
parts of a MIME message. If you want to pass the original,
undecoded message in as a UNIX-style "mbox" file, call
md_copy_orig_msg_to_work_dir_as_mbox_file prior to calling mes
sage_contains_virus. The only difference between this function
and md_copy_orig_msg_to_work_dir is that this function prepends
a "From_" line to make the message look like a UNIX-style mbox
file. This is required for some virus scanners (such as Clam
AntiVirus) to recognize the file as an e-mail message.
The md_copy_orig_msg_to_work_dir() is however a lot more efficient, and
if it's the same to ClamAV (or, well, if it should be treated the same),
then this documentation is not correct?
(MIMEDefang also extracts all attachments, so the virus is found anyway,
albeit in the extracted part).
--
#!perl -wpl # mmfppfmpmmpp mmpffm <[EMAIL PROTECTED]>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
