Eric Scopinho wrote:
> The problem is that I'm using libclamav directly (not clamd), and I
> dont't have the entire zip file. While the file is sent over the
> network, passing through my firewall, I'm catching the packets,
> storing each one and scanning using cl_scandesc from libclamav. Catch
> it?
Since you're scanning it packet-by-packet, you're going to miss some viruses
regardless of .zip-ness. In particular, if a virus definition matches a byte
sequence that is split across packets, the virus will get through.
Since you can't decompress the .zip file, you won't catch viruses that are only
recognized in their uncompressed form. Fortunately, there are some virus
patterns to match the .zip'd versions of the files. Unfortunately, viruses
that randomize their password are probably unpatternable in their compressed
form.
You might be able to do something to the effect of:
1) Recognize the initial packet of the zip file
2) Accumulate all future packets of that stream
3) Put all the packets together to get the complete zip file
4) Decompress the zip file
5) Scan the decompressed contents
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
