* On 15/01/07 21:23 -0800, Dennis Peterson wrote: | Odhiambo Washington wrote: | >* On 15/01/07 21:12 -0800, Dennis Peterson wrote: | >| Odhiambo Washington wrote: | >| >Hi, | >| > | >| >For some strange reasons, I've seen some malware go past my filters | >| >on several occasions. | >| >One such case is today, where a mail containing two attachments, one | >| >a gif and the other a zip archive, skipped clamd completely and was | >| >delivered to my inbox. | >| > | >| >However, when I extract the attachment from the file and scan it with | >| >clamd, the worm is detected. | >| > | >| >Either this is a failure of the configuration on my MTA, or in the | >| >way clamd analyzes such e-mail. I am running 0.88.7. | >| | >| Do you have any kind of minimum size limit a message must have before it | >| is a candidate for scanning? Many sites don't scan very large messages | >| because they are outside the typical size for spam/viruses. It's a | >| choice that brings some risk but it does make things more efficient. | > | >Yes, I don't subject to scanning any mails whose size exceed 1MB, but | >the mail in question does not meet this criteria. | > | > | | The next thing to suspect is the process that does the file extraction. | The one I use logs all the attachments so I can explore the logs for the | file names and what it did with them. Without that capability I don't | have any other way to continue the diagnosis were this my problem to solve. | | Something you can try though is to send the attachments to your self and | see if they are discovered. It is possible that your mail reader is more | forgiving of encoding errors than what ever pulls attachments for your | mail for scanning. If nothing else it may expose an encoding scheme that | gets past your scanning system but not your mail reader.
Is anyone using Exim with exiscan in this forum? That is where the subject is heading, as I can see. Peterson, what do you use? -Wash http://www.netmeister.org/news/learn2quote.html DISCLAIMER: See http://www.wananchi.com/bms/terms.php -- +======================================================================+ |\ _,,,---,,_ | Odhiambo Washington <[EMAIL PROTECTED]> Zzz /,`.-'`' -. ;-;;,_ | Wananchi Online Ltd. www.wananchi.com |,4- ) )-,_. ,\ ( `'-'| Tel: +254 20 313985-9 +254 20 313922 '---''(_/--' `-'\_) | GSM: +254 722 743223 +254 733 744121 +======================================================================+ Left to themselves, things tend to go from bad to worse. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
