Odhiambo Washington wrote:
* On 15/01/07 21:12 -0800, Dennis Peterson wrote:
| Odhiambo Washington wrote:
| >Hi,
| >
| >For some strange reasons, I've seen some malware go past my filters
| >on several occasions.
| >One such case is today, where a mail containing two attachments, one
| >a gif and the other a zip archive, skipped clamd completely and was
| >delivered to my inbox.
| >
| >However, when I extract the attachment from the file and scan it with
| >clamd, the worm is detected.
| >
| >Either this is a failure of the configuration on my MTA, or in the
| >way clamd analyzes such e-mail. I am running 0.88.7.
|
| Do you have any kind of minimum size limit a message must have before it
| is a candidate for scanning? Many sites don't scan very large messages
| because they are outside the typical size for spam/viruses. It's a
| choice that brings some risk but it does make things more efficient.
Yes, I don't subject to scanning any mails whose size exceed 1MB, but
the mail in question does not meet this criteria.
The next thing to suspect is the process that does the file extraction.
The one I use logs all the attachments so I can explore the logs for the
file names and what it did with them. Without that capability I don't
have any other way to continue the diagnosis were this my problem to solve.
Something you can try though is to send the attachments to your self and
see if they are discovered. It is possible that your mail reader is more
forgiving of encoding errors than what ever pulls attachments for your
mail for scanning. If nothing else it may expose an encoding scheme that
gets past your scanning system but not your mail reader.
dp
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
