Hello list, Lately, we are experiencing some strange behaviour with clamd using socket communication mode with amavis-new
When a zip file with trojan binary inside is sent by an evil sender, sometimes clamd marks it like CLEAN. After of doing some investigation, we realised next two things: This zipped file is not detected like trojan unzip -v winner.zip Archive: winner.zip Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 19456 Defl:X 16271 16% 11-06-09 00:46 14a246d9 winner.exe -------- ------- --- ------- 19456 16271 16% 1 file This one is detected smoothly unzip -v pru/winner.zip Archive: pru/winner.zip Length Method Size Ratio Date Time CRC-32 Name -------- ------ ------- ----- ---- ---- ------ ---- 19456 Defl:N 16277 16% 11-06-09 00:46 14a246d9 winner.exe -------- ------- --- ------- 19456 16277 16% 1 file As you can see, the main differences between the two zip files is the deflate method (X method is not detected by clamd and N method is detected ok). About our architecture: we have debian 4.0 and the following clamd and apps version: balth...@mailfilter04:~$ dpkg -l | grep -E 'zlib|clam' ii clamav 0.91.2-3 antivirus scanner for Unix ii clamav-base 0.91.2-3 base package for clamav, an anti-virus utili ii clamav-daemon 0.91.2-3 antivirus scanner daemon ii clamav-freshclam 0.91.2-3 downloads clamav virus databases from the In rc libclamav1 0.88.7-0volatile1 virus scanner library ii libclamav2 0.91.2-3 virus scanner library ii zlib1g 1.2.3-13 compression library - runtime ii zlib1g-dev 1.2.3-13 compression library - development We are forced to use this version of this application because they are tightly integrated with other inherited custom programs Thank you for your reading, Saludos, Administración Unix ________________________________ -------------------------------------------------------------------------------- Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su destinatario. Si usted ha recibido este mensaje por error, no debe revelar, copiar, distribuir o usarlo en ningún sentido. Le rogamos lo comunique al remitente y borre dicho mensaje y cualquier documento adjunto que pudiera contener. El correo electrónico via Internet no permite asegurar la confidencialidad de los mensajes que se transmiten ni su integridad o correcta recepción. JAZZTEL no asume responsabilidad por estas circunstancias. Si el destinatario de este mensaje no consintiera la utilización del correo electrónico via Internet y la grabación de los mensajes, rogamos lo ponga en nuestro conocimiento de forma inmediata.Cualquier opinión expresada en este mensaje pertenece únicamente al autor remitente, y no representa necesariamente la opinión de JAZZTEL, a no ser que expresamente se diga y el remitente esté autorizado para hacerlo. -------------------------------------------------------------------------------- This message is private and CONFIDENTIAL and it is intended exclusively for its addressee. If you receive this message in error, you should not disclose, copy, distribute this e-mail or use it in any other way. Please inform the sender and delete the message and attachments from your system.Internet e-mail neither guarantees the confidentiality nor the integrity or proper receipt of the messages sent. JAZZTEL does not assume any liability for those circumstances. If the addressee of this message does not consent to the use of Internet e-mail and message recording, please notify us immediately.Any views or opinions contained in this message are solely those of the author, and do not necessarily represent those of JAZZTEL, unless otherwise specifically stated and the sender is authorised to do so. -------------------------------------------------------------------------------- _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
