Karsten Bräckelmann wrote: > On Tue, 2007-10-02 at 10:24 -0700, Dennis Peterson wrote: >> Can anyone offer a reason why the OP found a virus in the mbox file but not >> in the >> split out maildir messages? That kind of inconsistency is unsettling. > > Rather easy I guess, given your analysis of the RE earlier. :) > > Caveat: I have not checked the signature myself, going from your own > description only. Also, I assume that "any number of characters" > actually includes \n. The signature wouldn't match my FreeGame crap > otherwise anyway. > > > Somewhat simplified, the signature reads "Subject with the string game" > and "an IP style http link". > > Scanning maildirs as well as scanning individual messages before > delivering, this enforces that both be in the same email. Scanning a > whole mbox however, does *not*. > > The Subject can be in one message, and the link in another one further > down the file. Boom, we got a hit! :) (Actually, according to your > prose description, it neither needs to be a (Subject) header, nor an IP > style link.) > > > Which raises the question if the OP is correct when stating that ClamAV > knows how to handle mbox files. It sure does not look like that. The > summary claimed to have scanned one (mbox) file. It did not claim to > have scanned a bunch of messages, treated individually and applying the > signatures against each of them -- just a single text/plain file, that > happens to resemble more than one message. > >
This is my conclusion too, and the question was really thrown out there for comment from the SourceFire folks to provide clarification. Given that clamscan knows where in the file it is as well as being aware of the construction of it they appear to be very close to doing the right thing so it would be surprising to learn they do not. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
