On Wed, Jul 27, 2005 at 02:26:06PM -0400, Jim Maul wrote: > I believe the OP is referring to a new technique being used by virus > writers where the email has a zip attachment which APPEARS to be 0 bytes > (in the zip header) but when uncompressed, the file is in fact not 0 > bytes. There was a recent article about this somewhere but i am unable > to find the link ATM.
So, It could be nice if clamav can block those files, but on my -devel it dosn't work: $ echo 'Zip.Empty:0:*:0:0:00000000:0:1:1' > ./local/empty.zmd $ clamscan -d ./local -r --debug /tmp/empty.zip LibClamAV debug: Loading databases from ./local LibClamAV debug: Loading ./local/local.db LibClamAV debug: Initializing main node LibClamAV debug: Initializing trie LibClamAV debug: Initializing BM tables LibClamAV debug: in cli_bm_init() LibClamAV debug: BM: Number of indexes = 63744 LibClamAV debug: Loading ./local/local.hdb LibClamAV debug: Initializing md5 list structure LibClamAV debug: Loading ./local/attic.db LibClamAV debug: Loading ./local/local.ndb LibClamAV debug: Loading ./local/uce.ndb LibClamAV debug: Loading ./local/empty.zmd LibClamAV debug: Loading ./local/movies.ndb LibClamAV debug: Loading ./local/main.db LibClamAV debug: Loading ./local/main.hdb LibClamAV debug: Loading ./local/main.ndb LibClamAV debug: Loading ./local/main.zmd LibClamAV debug: Loading ./local/main.fp LibClamAV debug: Loading ./local/daily.db LibClamAV debug: Loading ./local/daily.hdb LibClamAV debug: Loading ./local/daily.ndb LibClamAV debug: Recognized ZIP file LibClamAV debug: in scanzip() LibClamAV debug: Zip: empty.txt, crc32: 0x0, encrypted: 0, compressed: 0, normal: 0, method: 0, ratio: 0 (max: 250) LibClamAV debug: Calculated MD5 checksum: 14e68330404811410409adf0b1fc2306 /tmp/empty.zip: OK ----------- SCAN SUMMARY ----------- Known viruses: 37224 Engine version: devel-20050727 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.00 MB Time: 1.536 sec (0 m 1 s) Can I say it's a bug? -- best regards q# _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
