Oh! I missed my actual question! :-)
Is this expected behavior. i.e. a limitation with making your own simple
MD5-based sigs.
Jason Haar wrote:
> Hi there
>
> The new W32/Nyxem-D virus seems to escape clamav fairly well.
>
> It comes in as a .HQX or .MIM attachment - which is base64 encoded.
> H
Hi there
The new W32/Nyxem-D virus seems to escape clamav fairly well.
It comes in as a .HQX or .MIM attachment - which is base64 encoded.
However, the resultant HQX/MIM file is actually an UUENCODED file (that
WinXP at least auto-supports).
I uudecoded it and wrote my own signature for the resu
Hi,
This following thread was previously posted. I wonder if this is still an issue
with MIME handling or is it just a sole case that the worm couldn't be caught?
Thanks
Jerry,
> Hi all,
>
> RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
> (Netsky.B) but neither clamd
On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say:
> Hi list, I have posted before about an issue with clamd hanging and
> yesterday we finally managed to find out what the underlying problem was.
> We came across an 800k mail that we initially thought was causing clamd to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ted Fines wrote:
> --On Thursday, February 17, 2005 3:38 PM + Nigel Horne
> <[EMAIL PROTECTED]> wrote:
>
>> On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
>>
>>> On Thu, 17 Feb 2005 11:50:11 + (GMT)
>>> Andy Fiddaman <[EMAIL PROTECTED]> wro
; [EMAIL PROTECTED] Nigel Horne <[EMAIL PROTECTED]>
; wrote:
;
; > On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
; >
; > > The problem with the old limit was that it was hard coded and so was
; > > the behaviour when it was exceeded (IIRC it used to just not scan
; > > the additional nested p
On Thu, 17 Feb 2005 16:12:08 + in
[EMAIL PROTECTED] Nigel Horne <[EMAIL PROTECTED]>
wrote:
> On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
>
> > The problem with the old limit was that it was hard coded and so was
> > the behaviour when it was exceeded (IIRC it used to just not scan
> >
On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
> The problem with the old limit was that it was hard coded and so was the
> behaviour when it was exceeded (IIRC it used to just not scan the
> additional nested parts). I can't understand why adding this option with
> configurable behaviour wou
--On Thursday, February 17, 2005 3:38 PM + Nigel Horne
<[EMAIL PROTECTED]> wrote:
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman <[EMAIL PROTECTED]> wrote:
> Kind of.. there's a limit for how many times the mail scanner is
> invoked, (
On Thu, 17 Feb 2005, Nigel Horne wrote:
; On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
; > On Thu, 17 Feb 2005 11:50:11 + (GMT)
; > Andy Fiddaman <[EMAIL PROTECTED]> wrote:
; >
; > > Kind of.. there's a limit for how many times the mail scanner is
; > > invoked, (such as for a message wit
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
> On Thu, 17 Feb 2005 11:50:11 + (GMT)
> Andy Fiddaman <[EMAIL PROTECTED]> wrote:
>
> > Kind of.. there's a limit for how many times the mail scanner is
> > invoked, (such as for a message with zip containing message containing
> > zip containi
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman <[EMAIL PROTECTED]> wrote:
> Kind of.. there's a limit for how many times the mail scanner is
> invoked, (such as for a message with zip containing message containing
> zip containing message...), but not for mime recursion.. i.e.
> parseEmail
On Wed, 16 Feb 2005, Tomasz Kojm wrote:
; On Wed, 16 Feb 2005 17:51:28 +0200
; Scott Ryan <[EMAIL PROTECTED]> wrote:
;
; > I will just have to allow these types of mails to go unscanned. Four
; > minutes to scan 1 will cause a DOS.
;
; So increase the number of MaxThreads...
;
; > Would it be po
On Thursday 17 February 2005 11:29, Andy Fiddaman shaped the electrons to say:
> On Wed, 16 Feb 2005, [ISO-8859-2] BogusÅaw Brandys wrote:
>
> ; -BEGIN PGP SIGNED MESSAGE-
> ; Hash: SHA1
> ;
> ; Nigel Horne wrote:
> ; > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> ; >
> ; >
> ; >>FOUR
On Wed, 16 Feb 2005, [ISO-8859-2] Bogusław Brandys wrote:
; -BEGIN PGP SIGNED MESSAGE-
; Hash: SHA1
;
; Nigel Horne wrote:
; > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
; >
; >
; >>FOUR MINUTES, 13 SECONDS for an 800k email.
...
; > 0.80 didn't scan it properly and would have let a
On Wed, 16 Feb 2005 19:05:22 +0200
Scott Ryan <[EMAIL PROTECTED]> wrote:
> What is that limit?
libclamav/scanners.c:
#define MAX_MAIL_RECURSION 15
--
oo. Tomasz Kojm <[EMAIL PROTECTED]>
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._
On Wednesday 16 February 2005 18:43, Tomasz Kojm shaped the electrons to say:
> On Wed, 16 Feb 2005 17:51:28 +0200
>
> Scott Ryan <[EMAIL PROTECTED]> wrote:
> > I will just have to allow these types of mails to go unscanned. Four
> > minutes to scan 1 will cause a DOS.
>
> So increase the number o
On Wed, 16 Feb 2005 17:51:28 +0200
Scott Ryan <[EMAIL PROTECTED]> wrote:
> I will just have to allow these types of mails to go unscanned. Four
> minutes to scan 1 will cause a DOS.
So increase the number of MaxThreads...
> Would it be possible to request that some kind of recursion limit be
>
On Wed, 16 Feb 2005 18:23:51 +0200 in
[EMAIL PROTECTED] Peter Hubbard
<[EMAIL PROTECTED]> wrote:
> > That would be bad idea since it would be v. easy for a virus writer
> > to get around.
>
> Okay. How about an option to dump an email - or flag it as a
> *possible* virus - if a specified recu
On Wed, 2005-02-16 at 16:00 +, Nigel Horne wrote:
> On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote:
>
> > Would it be possible to request that some kind of recursion limit be added
> > here like there currently is on zip files?
>
> That would be bad idea since it would be v. easy for a vir
On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote:
> Would it be possible to request that some kind of recursion limit be added
> here like there currently is on zip files?
That would be bad idea since it would be v. easy for a virus writer to get
around.
--
Nigel Horne. Arranger, Composer, Ty
On Wednesday 16 February 2005 17:34, Nigel Horne shaped the electrons to say:
> On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote:
> > On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to
say:
> > > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> > > > FOUR MINUTES, 13 SECOND
On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote:
> On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say:
> > On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> > > FOUR MINUTES, 13 SECONDS for an 800k email.
> >
> > Look at the file again. It is NOT an 800k mail. It is over
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say:
> On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> > FOUR MINUTES, 13 SECONDS for an 800k email.
>
> Look at the file again. It is NOT an 800k mail. It is over 200 emails
> embedded within each other. By definition the
On Wednesday 16 Feb 2005 14:58, Bogusław Brandys wrote:
> Oversized.Mail ? Do we need such new detection or is better solution ?
I need to finish the work on the new scanner that is already underway (see
mbox.c) which removes the parser.
> Boguslaw Brandys
--
Nigel Horne. Arranger, Composer, T
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nigel Horne wrote:
> On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
>
>
>>FOUR MINUTES, 13 SECONDS for an 800k email.
>
>
> Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded
> within each other. By definition the larg
* Ted Fines <[EMAIL PROTECTED]> [20050216 17:20]: wrote:
> --On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan
> <[EMAIL PROTECTED]> wrote:
>
> >On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to
> >say:
> >>Would you please send me this attachment off-list.
> >>
> >>Pl
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
> FOUR MINUTES, 13 SECONDS for an 800k email.
Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded
within each other. By definition the largest message is about 800K and the
smallest
is about 1K give or take, giving an av
--On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan
<[EMAIL PROTECTED]> wrote:
On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to
say:
Would you please send me this attachment off-list.
Please zip it and password protect it (password='password') so it comes
through.
Tha
Hi list, I have posted before about an issue with clamd hanging and yesterday
we finally managed to find out what the underlying problem was. We came
across an 800k mail that we initially thought was causing clamd to hang. The
truth infact was that once we turned on debugging, we noticed that cl
On Monday 15 Mar 2004 5:43 pm, Stuart Mycock wrote:
> When I rip out the attachment manually it detects the virus fine.
>
> Shall I submit the sample anyway? I don't want to waste anyone's time if
> this is something that's already being dealt with?
Send me the e-mail and I'll look into it.
-Nig
Stuart Mycock schrieb:
Hi all,
RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?
When I rip out the attachment manually it detects the virus fine.
Shal
Hi all,
RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?
When I rip out the attachment manually it detects the virus fine.
Shall I submit the sample
Whatever that means, uudecoding is not working. I have messages where the
virus is inside a regular text message, in uuencoded content, and clamscan
does not catch it.
This message itself is not a mime message, but a simple example of
clamscan needing the help of a decoder. I know there are othe
uudecoding is handled by libclamav/message.c
-Nigel
--
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 23 May 2003, [EMAIL PROTECTED] said:
> On Fri, 23 May 2003, Sean Rima wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Does clamav (0.54) read understand mime. I am just curious
>>
>> Sean
>> - --
>> Q: Because it reverses the lo
I don't really have a test suite, I'm assuming ripmime works well.
Anybody have a suite of these kinds of messages to run through?
Ricardo
On Fri, 23 May 2003 21:43:04 +0200 Damjan wrote:
> > The only way I can get it to work well for mime and uuencoded
> messages is
> > to run a program (lik
On Fri, 23 May 2003, Sean Rima wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Does clamav (0.54) read understand mime. I am just curious
>
> Sean
> - --
> Q: Because it reverses the logical flow of conversation.
> A: Why is top posting frowned upon?
Does whatever glues your insta
On 23 May 2003, [EMAIL PROTECTED] spake:
>
> My experience is that it does to some extent. I know, though, that it
> doesn't support uuencoded messages, for example (unless I'm doing
> something wrong).
>
> The only way I can get it to work well for mime and uuencoded messages
> is to run a progra
> The only way I can get it to work well for mime and uuencoded messages is
> to run a program (like ripmime) on the message and then run clamscan on
> the mime parts.
How well does ripmime handle strange/non-standard mime messages like
those generated by viruses?
--
Damjan Georgievski
jabbe
My experience is that it does to some extent. I know, though, that it
doesn't support uuencoded messages, for example (unless I'm doing
something wrong).
The only way I can get it to work well for mime and uuencoded messages is
to run a program (like ripmime) on the message and then run clamscan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does clamav (0.54) read understand mime. I am just curious
Sean
- --
Q: Because it reverses the logical flow of conversation.
A: Why is top posting frowned upon?
Normal Email sean AT tcob1 DOT net GPG Key Id 7DA70294
ICQ: 679813 Jabb
42 matches
Mail list logo
