>
> You want to use clamscan for something it was not designed to do, it was
> designed to detect viruses and that's all.
>
Yes, I do want to use clamscan for something it was not (quite) designed to do.
However, given
the fact that the designers built in the ability to parse multi-message email
files in order to
separate individual messages for scanning, mine is not an entirely unreasonable
expectation. In
fact reading through the source reveals that such capability is on the minds of
the coders.
>From libclamav/mbox.c
/*
* Is it a UNIX style mbox with more than one
* mail message, or just a single mail message?
*
* TODO: It would be better if we called cli_scandir here rather than
* in cli_scanmail. Then we could improve the way mailboxes with more
* than one message is handled, e.g. stopping parsing when an infected
* message is stopped, and giving a better indication of which message
* within the mailbox is infected
*/
I also found in the source a debug message expelled during message scanning
that I believe will
allow one to search the debug information in order to ascertain which message
might be infected.
However, last night's daily update of signatures has removed one of the three
"Email:FreeGames"
and consequently the mbox file in question no longer is considered "infected."
I am going to roll
back the signatures in order to test my hypothesis of the ability to pinpoint
an individual
message suspected of being infected.
I am disturbed by the fact that yesterday the mbox produced a positive but when
I broke out the
messages using mb2md the subsequent scan did not provide a positive. This
observed behavior is
most likely the result of improper parsing of a multi-message email file; that
is to say, the
message scan is not properly delimiting message boundaries (two or more
messages were scanned as
one and part of the signature expression was found in one message and another
part was found in a
following message).
It's okay to wish for tools to be more robust. thanks for everybody's input.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
