Hi all. I've recently installed ClamAV 0.87.1 and although it's
picking up geniune virii successfully, we're getting a large number
of mangled W32/Mytob-GH through. I say mangled because the ZIP file
appears to be damaged or truncated.
I've noticed that several people have tried submitting these broken
zip files, and they've all been rejected. Fair enough, it's not
really a virus. However it's also very definitely the kind of email
that many users would want rejected. I've tried creating my own
signatures but because the file is (or was) a zip and the contents of
it were a polymorphic virus, I can't find a pattern which I can use
to match it. In short I can find no way of blocking these emails -
qnd I'm getting loads (95% from one large customer, so much as I'd
love to I can't just block their server).
If there's an option to do this that I've missed, fantastic. If
there's not then may I float the suggestion here that there should
be? An option to reject ZIP files that are corrupt, while certainly
too draconian for some would be a very useful addition for me and
probably the others that have submitted signatures.
As a poor second alternative, is there a way to get clamd to pick up
on MD5 signatures? I know about the .db files, but what I really want
to do is something like "sigtool --md5 brokenzips/* > /var/lib/clamav/
badzips.hdb" and have that file picked up by clamd for it's automatic
scanning. Currently it seems that clamd looks for .db and .cvb files,
but not .hdb files.
Cheers... Mike
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
