Hi, I have a folder (mbox folder under PINE) in which I've kept a few virus messages around to help me with scan testing. There are 8 messages in there. I currently run RAV antivirus on another box, and if I scan that folder (the mbox file) with ravav I get this:
/home/r.../viruses->(part0001:)->(IFRAME0000) Infected: HTML/IFrame_Exploit* /home/r...il/viruses->(part0002:DOCS.DOC.pif) Infected: Win32/[EMAIL PROTECTED] /home/r...uses->(part0004:Officiants.doc.pif) Infected: Win32/[EMAIL PROTECTED] /home/r...viruses->(part0006:ME_NUDE.MP3.scr) Infected: Win32/[EMAIL PROTECTED] /home/r...l/viruses->(part0007:SETUP.DOC.scr) Infected: Win32/[EMAIL PROTECTED] /home/r...s->(part0008:www.myparty.yahoo.com) Infected: Win32/[EMAIL PROTECTED] /home/r...s->(part0009:www.myparty.yahoo.com) Infected: Win32/[EMAIL PROTECTED] /home/r...uses->(part0010:Officiants.doc.pif) Infected: Win32/[EMAIL PROTECTED] /home/r...11:)->(part0001:Officiants.doc.lnk) Infected: Win32/[EMAIL PROTECTED] Infected: 9. Different virus bodies: 4. So in the 8 messages it found 9 viruses. Then I tested clamav in 2 different ways, one where I ran clamscan on the mbox file itself, the other where I forwarded each message individually to another account, and then later manually ran clamscan on each individual message (messages stored in maildir format, so ran the files individually through clamscan). Here are my results: # cat /tmp/viruses.mbox |clamscan --mbox - /tmp/e28834880f1d6b5b/textportionnM5YLG: OK /tmp/e28834880f1d6b5b/Officiants.doc.pifXdVedm.pif: Sircam FOUND /tmp/e28834880f1d6b5b/textportionNHL2E1: OK /tmp/e28834880f1d6b5b/textportionmC146G: OK /tmp/e28834880f1d6b5b/Officiants.doc.pifmBcbCm.pif: Sircam FOUND /tmp/e28834880f1d6b5b/Officiants.doc.lnkmeTga2.lnk: Sircam FOUND ----------- SCAN SUMMARY ----------- Known viruses: 7286 Scanned directories: 1 Scanned files: 6 Infected files: 3 Data scanned: 0.38 Mb I/O buffer size: 131072 bytes Time: 1.160 sec (0 m 1 s) So with --mbox, it only finds 3 of the 9 infected. With individual file scanning, NO viruses are found... :-( how can that be? # clamscan /tmp/viruses /tmp/viruses/1052155096.M598808P5794V000000000000000AI008325A7_0.server2.a mericasnet.com,S=41499: OK /tmp/viruses/1052155101.M342071P5820V000000000000000AI008431CD_0.server2.a mericasnet.com,S=226902: OK /tmp/viruses/1052155106.M834887P5846V000000000000000AI008431D0_0.server2.a mericasnet.com,S=41502: OK /tmp/viruses/1052155113.M833382P5872V000000000000000AI008431D1_0.server2.a mericasnet.com,S=41431: OK /tmp/viruses/1052155122.M751341P5898V000000000000000AI008431D2_0.server2.a mericasnet.com,S=41990: OK /tmp/viruses/1052155128.M852730P5924V000000000000000AI008431D3_0.server2.a mericasnet.com,S=41981: OK /tmp/viruses/1052155136.M327169P5950V000000000000000AI008431D4_0.server2.a mericasnet.com,S=226902: OK /tmp/viruses/1052155143.M329226P5976V000000000000000AI008431D5_0.server2.a mericasnet.com,S=226904: OK ----------- SCAN SUMMARY ----------- Known viruses: 7286 Scanned directories: 1 Scanned files: 8 Infected files: 0 Data scanned: 0.84 Mb I/O buffer size: 131072 bytes Time: 0.729 sec (0 m 0 s)
