Shawn Webb wrote: > > > > AFAIK clamd can parse Communigate Pro message spool format, where the > > message itself is preceded by several extra lines like > > > > P I 06-09-2012 08:53:14 0000 ____ ____ <suda...@sibptus.tomsk.ru> > > O LH > > A sibptus.tomsk.ru [212.73.124.5] > > S SMTP [212.73.125.240] > > R W 06-09-2012 08:53:14 0000 ____ _FY_ <suda...@sibptus.tomsk.ru> > > > > However, I have found a condition when this parser fails on > > clamav-0.97.5 and clamd reports OK though there is a known virus in > > the message. I can provide samples and more details.
> Were you able to scan with versions of ClamAV prior to 0.97.5? clamav-0.97 has the same problem. Sorry, I don't have older ClamAV installations anywhere at the moment. > Can you send me some samples? Please take a sample at ftp://ftp.tomsk.ru/pub/m2.zip ClamAV says it's OK. But if you manually add some "Content-Type:" header to the message, it is reported as containing Trojan.Startpage-131 (which it does). If you remove the CommunigatePro extra lines without adding a "Content-Type:" header, it's again reported as containing Trojan.Startpage-131. I have come across this bug (?) when sending messages with the Unix mail program. It does not generate the "Content-Type:" header so any virus sent by the mail(1) program passes through ClamAV+Communigate. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
