Gene Heskett wrote: > On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine: >> You might be. IF I understand what you're doing, it seems to me that >> you're piping a stream of data to the standard input of a process and >> asking that process to scan the stream for interesting things. You >> aren't telling it where the stream comes from, so it doesn't know, so >> it can't tell you anything other than what it finds in the anonymous >> stream. I suppose it could tell you a byte offset from the start of >> the stream if it counted the bytes, but that wouldn't be a lot of use >> if the stream came from the concatenation of half a million files. >> >> In effect, you're saying "What's in this anonymous stream of data?"
> Wrong concept, its being used on each incoming email, even before SA looks > at it. Point being that the email will normally have a subject line which, > when the mail has been sorted into the incoming kde folders, knowing the > subject line contents would go a long way toward identifying the mail. I'm not sure how much clamav really "knows" about whether it's scanning an email or an executable blob. It's smart enough to dig into attachments to emails, but there is only a limited amount of intelligence there. My own favourite ClamAV integration glue, the MIMEDefang milter, does its own work to split off attachments and untangle "email" into "files" (more or less), and then points Clam at the whole set, on the not-unlikely chance Clam can't decode the attached file(s) from the email message. IIRC some time ago, there were a number of viruses that produced either broken or obscure MIME, and ClamAV couldn't find the virus in the complete email, but when it was fed the detached and decoded file, it triggered just fine. > One other item I just found that I do not like. When clamav is restarted at > reboot time, it wipes the existing /var/log/clamav/clamav.log file, > destroying any interesting records from yesterday. That's not at all nice. > It really, REALLY, needs to be maintained by logrotate. File a bug with your Linux distribution; I agree this is poor behaviour but I've never seen it happen on the RHEL/CentOS systems or Debian systems I've used ClamAV on. -kgd _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
