On Wed, 2007-10-03 at 10:45 -0700, Dennis Peterson wrote:
> Karsten Bräckelmann wrote:
Developers, read on. :)
> > Somewhat simplified, the signature reads "Subject with the string game"
> > and "an IP style http link".
> >
> > Scanning maildirs as well as scanning individual messages before
> > delivering, this enforces that both be in the same email. Scanning a
> > whole mbox however, does *not*.
> >
> > The Subject can be in one message, and the link in another one further
> > down the file. Boom, we got a hit! :) (Actually, according to your
> > prose description, it neither needs to be a (Subject) header, nor an IP
> > style link.)
> >
> >
> > Which raises the question if the OP is correct when stating that ClamAV
> > knows how to handle mbox files. It sure does not look like that. The
> > summary claimed to have scanned one (mbox) file. It did not claim to
> > have scanned a bunch of messages, treated individually and applying the
> > signatures against each of them -- just a single text/plain file, that
> > happens to resemble more than one message.
> >
>
> This is my conclusion too, and the question was really thrown out there for
> comment
> from the SourceFire folks to provide clarification. Given that clamscan knows
> where
> in the file it is as well as being aware of the construction of it they
> appear to be
> very close to doing the right thing so it would be surprising to learn they
> do not.
Right. :) Adjusted the Subject accordingly. Maybe this will get some
attention by the developers. Would be nice if someone could shed some
light on this. Or implement it.
Another downside of this approach, together with ClamAV treating mbox
format files as text/plain is, that only the first hit will be reported.
Something to keep in mind for the use case mentioned in that other
thread. All you will gain is knowledge, that the users might have been
exposed to some threat, before the good guys caught up. You will *not*
know which threat, since there may be others lurking, too...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
