René Berber wrote: >Cevher wrote: > > >>Hi list, >> >>Some zip files containing virus files are passed by milter. For example >>there is a zip file that contains a file called data.src. >>Clamav recognize data.src as Worm.Lovgate.R. >> >>$ clamscan data.zip >>data.zip: Worm.Lovgate.R FOUND >> >>----------- SCAN SUMMARY ----------- >>Known viruses: 38553 >>Engine version: 0.86.2 >>Scanned directories: 0 >>Scanned files: 1 >>Infected files: 1 >>Data scanned: 0.09 MB >>Time: 5.561 sec (0 m 5 s) >> >>clamdscan also recognize this. >>$ clamdscan data.zip >>/home/clamav/data.zip: Worm.Lovgate.R FOUND >> >>----------- SCAN SUMMARY ----------- >>Infected files: 1 >>Time: 1.623 sec (0 m 1 s) >> >>ScanArchive is enabled in clamd.conf, when I unpack original zip file >>and repack it with zip, clamav-milter recognize it (tgz and gz archives >>recognized also). Milter just can't recognize original zip file where >>compression seems %0. >> >> > >Can you check the log and confirm that clamav-milter is the latest version? > > > >>We are using clamav-milter without --external option, whereas result is >>same when clamav-milter is run with --external option. >> >> > >Strange that --external does the same, it should be just like using clamdscan. >You could enable debuging for clamd and test to see if as an email message it's >being scanned and goes through undetected. > > > >>My next question is about ScanArchive directive. Does anyone know how to >>disable it. I did comment the ScanArchive directive in clamd.conf but it >>didn't work. >> >> > >You need to set 2 options in clamd.conf (read "man clamd.conf" for details): > >DisableDefaultScanOptions >ScanArchive no > >HTH > > Thank you very much for your response. Here are the rows related to message in log file:
LibClamAV debug: Multipart 1: About to parse folded header 'Content-Type: application/octet-stream; name="Data.zip"' LibClamAV debug: parseEmailHeader 'Content-Type: application/octet-stream; name="Data.zip"' LibClamAV debug: parseMimeHeader: cmd='Content-Type', arg=' application/octet-stream; name="Data.zip"' LibClamAV debug: messageSetMimeType: 'application' LibClamAV debug: mimeArgs = ' name="Data.zip"' LibClamAV debug: Add arguments ' name="Data.zip"' LibClamAV debug: Multipart 1: About to parse folded header 'Content-Transfer-Encoding: base64' LibClamAV debug: parseEmailHeader 'Content-Transfer-Encoding: base64' LibClamAV debug: parseMimeHeader: cmd='Content-Transfer-Encoding', arg=' base64' LibClamAV debug: messageSetEncoding: 'base64' LibClamAV debug: Encoding type 1 is "base64" LibClamAV debug: Multipart 1: About to parse folded header 'Content-Disposition: attachment; filename="Data.zip"' LibClamAV debug: parseEmailHeader 'Content-Disposition: attachment; filename="Data.zip"' LibClamAV debug: parseMimeHeader: cmd='Content-Disposition', arg=' attachment; filename="Data.zip"' LibClamAV debug: Multipart 1: End of header information LibClamAV debug: Part 1 has 2 lines LibClamAV debug: Now read in part 2 LibClamAV debug: Empty part LibClamAV debug: The message has 2 parts LibClamAV debug: Find out the multipart type (mixed) LibClamAV debug: Mixed message with 2 parts LibClamAV debug: Mixed message part 0 is of type 6 LibClamAV debug: Mixed message text part disposition "" LibClamAV debug: Mime subtype "plain" LibClamAV debug: Adding part to main message LibClamAV debug: Adding to non mime-part LibClamAV debug: Mixed message part 1 is of type 1 LibClamAV debug: messageToFileblob LibClamAV debug: messageExport: numberOfEncTypes == 1 LibClamAV debug: messageExport: enctype 0 is 2 LibClamAV debug: blobSetFilename: Data.zip LibClamAV debug: fileblobSetFilename: mkstemp(/tmp/clamav-086daff174ee6649/Data.zipXXXXXX) LibClamAV debug: Saving attachment as /tmp/clamav-086daff174ee6649/Data.zipz7ZDnS LibClamAV debug: Exported 21 bytes using enctype 2 LibClamAV debug: 2 trailing bytes to export LibClamAV debug: base64chars = 2 (@ @ @) LibClamAV debug: fileblobDestroy: Data.zip LibClamAV debug: Save non mime and/or text/plain part LibClamAV debug: blobSetFilename: textpart LibClamAV debug: fileblobSetFilename: mkstemp(/tmp/clamav-086daff174ee6649/textpartXXXXXX) LibClamAV debug: Saving attachment as /tmp/clamav-086daff174ee6649/textpartmm0fR0 LibClamAV debug: fileblobDestroy: textpart LibClamAV debug: cli_mbox returning 0 LibClamAV debug: Calculated MD5 checksum: 76cdb2bad9582d23c1f6f4d868218d6c LibClamAV debug: Calculated MD5 checksum: fe7a9673109db643d00efbd304ac6b50 LibClamAV debug: Calculated MD5 checksum: 30af82b30702b27683248f4a5bbd0b70 Thu Aug 11 15:44:51 2005 -> /tmp/clamav-d676e44291e0955a/msg.a6DlVz: OK LibClamAV debug: clamfi_cleanup LibClamAV debug: clamfi_free LibClamAV debug: clamfi_free: n_children = 4 LibClamAV debug: <n_children = 3 LibClamAV debug: clamfi_free returns LibClamAV debug: Saving message to /tmp/clamav-d676e44291e0955a/msg.uQbNN8 to scan later LibClamAV debug: connect2clamd: serverNumber = 0 By the way my clamav-milter version is 0.86. Thanks again. -- Cevher Cemal Bozkur +-+-+-+-+-+-+-+-+-+ YÖRE NET Teknoloji Tel:+90 212 234 00 90 _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
