Karsten Bräckelmann wrote: > On Wed, 2007-10-03 at 10:45 -0700, Dennis Peterson wrote: >> Karsten Bräckelmann wrote: > > Developers, read on. :) > >>> Somewhat simplified, the signature reads "Subject with the string game" >>> and "an IP style http link". >>> >>> Scanning maildirs as well as scanning individual messages before >>> delivering, this enforces that both be in the same email. Scanning a >>> whole mbox however, does *not*. >>> >>> The Subject can be in one message, and the link in another one further >>> down the file. Boom, we got a hit! :) (Actually, according to your >>> prose description, it neither needs to be a (Subject) header, nor an IP >>> style link.) >>> >>> >>> Which raises the question if the OP is correct when stating that ClamAV >>> knows how to handle mbox files. It sure does not look like that. The >>> summary claimed to have scanned one (mbox) file. It did not claim to >>> have scanned a bunch of messages, treated individually and applying the >>> signatures against each of them -- just a single text/plain file, that >>> happens to resemble more than one message. >>> >> This is my conclusion too, and the question was really thrown out there for >> comment >> from the SourceFire folks to provide clarification. Given that clamscan >> knows where >> in the file it is as well as being aware of the construction of it they >> appear to be >> very close to doing the right thing so it would be surprising to learn they >> do not. > > Right. :) Adjusted the Subject accordingly. Maybe this will get some > attention by the developers. Would be nice if someone could shed some > light on this. Or implement it. > > > Another downside of this approach, together with ClamAV treating mbox > format files as text/plain is, that only the first hit will be reported. > Something to keep in mind for the use case mentioned in that other > thread. All you will gain is knowledge, that the users might have been > exposed to some threat, before the good guys caught up. You will *not* > know which threat, since there may be others lurking, too... > > guenther > >
Since clamav treats elm and Mozilla/Thunderbird folders as though they were mbox format (they're very close) this same issue can come up when scanning user space where such files would exist. dp _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html