On Mon, Feb 03, 2014 at 03:41 PM, Kris Deugau wrote: > > Gene Heskett wrote: >> On Sunday 02 February 2014 09:12:36 G.W. Haywood did opine: >>> You might be. IF I understand what you're doing, it seems to me that >>> you're piping a stream of data to the standard input of a process and >>> asking that process to scan the stream for interesting things. You >>> aren't telling it where the stream comes from, so it doesn't know, so >>> it can't tell you anything other than what it finds in the anonymous >>> stream. I suppose it could tell you a byte offset from the start of >>> the stream if it counted the bytes, but that wouldn't be a lot of use >>> if the stream came from the concatenation of half a million files. >>> >>> In effect, you're saying "What's in this anonymous stream of data?" > >> Wrong concept, its being used on each incoming email, even before SA looks >> at it. Point being that the email will normally have a subject line which, >> when the mail has been sorted into the incoming kde folders, knowing the >> subject line contents would go a long way toward identifying the mail. > > I'm not sure how much clamav really "knows" about whether it's scanning > an email or an executable blob.
I can assure you that it knows a lot about what it's scanning. The very first sentence in the documentation is > Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed > espe- cially for e-mail scanning on mail gateways. LibClamAV is described as > ...thread-safe and transparently recognizes and scans within archives, mail > files, MS Office document files, executables and other special formats. There are mail specific signatures: > 3.5.4 Extended signature format > > The extended signature format allows for specification of additional > information such as a target file type, virus offset or engine version, > making the detection more reliable. The format is: > > MalwareName:TargetType:Offset:HexSignature[:MinFL:[MaxFL]] > > where TargetType is one of the following numbers specifying the type of the > target file: > > • 4=Mailfile -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
