On 05/25/2016 11:06 AM, Philip Andersson wrote:
I got some new information. The test files came from cybercom and all other test files they sent to us was blocked. I think that clamd removes the virus and reports OK back and translates the stream from PDF 1.4 to PDF 1.5. Because if I open the two files in hexeditors their headers is not the same and the row containing the virus is gone. Could clamd have done this?
That sounds unlikely, as ClamAV can't disinfect files - and surely wouldn't start converting between PDF formats.
The age of the virus doesn't matter - it should be detected regardless of method.
You should look into making a debug-plugin, to get some more information about what happens, when the file is injected into the ClamAV-Daemon.
Best regards Michael _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
