Either none of the images i have saved from spam match that database (quite possible) or clamscan works slightly differently than clamd while scanning emails.
Is it possible that clamscan requires and exact match while clamd/clamav-milter only requires a partial match because its testing each attachment as a possible virus? I have unpacked main and daily to look at signatures and have created signatures based on just the encoded version of the images as well as decoded versions of the images but still nothing returns positive from my supply of saved emails with the images in them. I can only get a match if the file i'm scanning is an exact copy of what the signature was based on. I may be going about my testing wrong if I am assuming that clamscan will pick up a signature targeted file inside an email when it contains additional information (headers, misc random text, ect). Carl *********** REPLY SEPARATOR *********** On 10/4/2006 at 5:28 PM Dennis Peterson wrote: >Carl Thompson wrote: >> making the signature isnt the problem. the problem is that clamav >> will only identify the signature if its on its own (such as the >> signature is a file all its own) it will not identify email with the >> signature information in it. >> >> as an example i took a spam based email image and made a signature of >> just it. i would like clamav to identify any email with that image >> in it as a virus so that it is trashed instead of delivered. the >> image in a file (encoded or decoded) will be identified based on the >> signature created but if its in an email the email is not identified >> as having an identifiable virus in it. >> >> Carl >> >> > >You might want to consider this instead of hand rolling your own: > >http://www.msrbl.com/site/msrblimagesabout > > >_______________________________________________ >http://lurker.clamav.net/list/clamav-users.html _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
