On 4/22/2010 12:30 PM, aCaB wrote:
Paul Whelan wrote:
I think your amavis tried to decode the message, and pass only parts of
it to ClamAV.
In general then, clamav may only recognise some malware when it is
still attached to a mail message and not after it has been
separately stored. Is that correct?
It may or may not, depending on the message and the signature that
catches it.
Since clamav internally process the mail message and all its attachments
anyway, having this done twice (by amavis and by clamav) is probably
pointless...
---acab
For amavisd-new to block attachments by file(1) type, it must
unpack the mail.
Clam must scan the whole email message because (as you know)
some signatures only trigger on files that look like a mail
message.
To have both attachment blocking and full email scanning, the
mail ends up being scanned twice. Maybe I'll put in a request
for a "don't scan decoded parts" feature ...
-- Noel Jones
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
