I am not sure whether my previous response reached the mailing list or not so replying it again.
Thank you Edwin, for very quick response. Sorry, I forgot to paste following header in my last query. Content-Type: multipart/mixed; boundary="=-E6uObbGoQ4lkg+aYaH2/" Actually I was sending the above header as part of virus scanning to clamd. With 'Content-Type' header also clamd not detecting the Eicar. Moreover I able to open Eicar string attachment in mail client, means virus mail got opened up in the Email client, it is a problem. One observation is with the addition of 'From:' header clamd detected Eicar string. Also Eicar got detected with 'Subject:' header contents. That is just add some data to subject portion and send the above data(with or without From:) Eicar string got detected. It appears clamd expecting some SMTP message header as part of the email data portion. If headers are not proper clamd sending the virus mail as clean mail instead of retuning error. it crates problem, a chance for evasion, we need to protect it. Please comment. Thanks, Rajesh -----Original Message----- From: clamav-users-boun...@lists.clamav.net [mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of clamav-users-requ...@lists.clamav.net Sent: Sunday, August 02, 2009 3:30 PM To: clamav-users@lists.clamav.net Subject: clamav-users Digest, Vol 59, Issue 2 Send clamav-users mailing list submissions to clamav-users@lists.clamav.net To subscribe or unsubscribe via the World Wide Web, visit http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users or, via email, send a message with subject or body 'help' to clamav-users-requ...@lists.clamav.net You can reach the person managing the list at clamav-users-ow...@lists.clamav.net When replying, please edit your Subject line so it is more specific than "Re: Contents of clamav-users digest..." Today's Topics: 1. Re: Clamd not detecting eicar string with Telnet interface (T?r?k Edwin) ---------------------------------------------------------------------- Message: 1 Date: Sat, 01 Aug 2009 13:00:59 +0300 From: T?r?k Edwin <edwinto...@gmail.com> Subject: Re: [Clamav-users] Clamd not detecting eicar string with Telnet interface To: ClamAV users ML <clamav-users@lists.clamav.net> Message-ID: <4a74125b.7090...@gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On 2009-08-01 10:50, M Rajesh-B22236 wrote: > CLAM AV version we used is 0.94.2 > > I used Telnet client to send a mail with Eicar string in a file as > attachment. > > Expecting clamd to detect it as virus mail, but instead it returned as > clean mail. > > This is working fine with any email client, problem is coming by using > Telnet > > interface only. > > Following is the data that send to clamd for scanning; > This is not an email, what email client opens it and displays the attachment properly? > Subject: > You are missing some headers here: From Content-Type: multipart/mixed; boundary="=-E6uObbGoQ4lkg+aYaH2/" If you add those, then clamav detects eicar, I don't see a problem here. > --=-E6uObbGoQ4lkg+aYaH2/ > > Content-Type: text/plain > > Content-Transfer-Encoding: 7bit > > > > > > --=-E6uObbGoQ4lkg+aYaH2/ > > Content-Disposition: attachment; filename=eicar.com > > Content-Type: text/plain; name=eicar.com; charset=us-ascii > > Content-Transfer-Encoding: 7bit > > x5o...@ap[4\pzx54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > > --=-E6uObbGoQ4lkg+aYaH2/-- > > . > > Can any one suggest reason for the above problem ? > > One guess is SMTP clients will also sends SMTP message headers like > From,To,Content-Type,Message-Id, Mime-Version,etc as part of data and > same is not the case for Telnet. > Does your mail server even accept the above mail? Which mail server is it? > But I think clamd should return error in case of any failures of SMTP > header parsing instead of sending it as clean mail. > That would lead to many false positives, not all emails follow the RFC standard. Best regards, --Edwin ------------------------------ _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users End of clamav-users Digest, Vol 59, Issue 2 ******************************************* _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
