Can you submit a bug through https://bugzilla.clamav.net/ please? Shawn will keep working with you, but this will allow us to track this issue.
Matt On Thu, Sep 6, 2012 at 10:28 PM, Victor Sudakov <v...@mpeks.tomsk.su> wrote: > Shawn Webb wrote: > > > > > > > AFAIK clamd can parse Communigate Pro message spool format, where the > > > message itself is preceded by several extra lines like > > > > > > P I 06-09-2012 08:53:14 0000 ____ ____ <suda...@sibptus.tomsk.ru> > > > O LH > > > A sibptus.tomsk.ru [212.73.124.5] > > > S SMTP [212.73.125.240] > > > R W 06-09-2012 08:53:14 0000 ____ _FY_ <suda...@sibptus.tomsk.ru> > > > > > > However, I have found a condition when this parser fails on > > > clamav-0.97.5 and clamd reports OK though there is a known virus in > > > the message. I can provide samples and more details. > > > Were you able to scan with versions of ClamAV prior to 0.97.5? > > clamav-0.97 has the same problem. Sorry, I don't have older ClamAV > installations anywhere at the moment. > > > Can you send me some samples? > > Please take a sample at ftp://ftp.tomsk.ru/pub/m2.zip > ClamAV says it's OK. But if you manually add some "Content-Type:" > header to the message, it is reported as containing > Trojan.Startpage-131 (which it does). If you remove the CommunigatePro > extra lines without adding a "Content-Type:" header, it's again > reported as containing Trojan.Startpage-131. > > I have come across this bug (?) when sending messages with the Unix > mail program. It does not generate the "Content-Type:" header so any > virus sent by the mail(1) program passes through ClamAV+Communigate. > > -- > Victor Sudakov, VAS4-RIPE, VAS47-RIPN > sip:suda...@sibptus.tomsk.ru > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
