On 10/3/07 10:45 AM, "Dennis Peterson" <[EMAIL PROTECTED]> wrote:
> Karsten Bräckelmann wrote: >> On Tue, 2007-10-02 at 10:24 -0700, Dennis Peterson wrote: >>> Can anyone offer a reason why the OP found a virus in the mbox file but not >>> in the >>> split out maildir messages? That kind of inconsistency is unsettling. >> >> Rather easy I guess, given your analysis of the RE earlier. :) >> >> Caveat: I have not checked the signature myself, going from your own >> description only. Also, I assume that "any number of characters" >> actually includes \n. The signature wouldn't match my FreeGame crap >> otherwise anyway. >> >> >> Somewhat simplified, the signature reads "Subject with the string game" >> and "an IP style http link". >> >> Scanning maildirs as well as scanning individual messages before >> delivering, this enforces that both be in the same email. Scanning a >> whole mbox however, does *not*. >> >> The Subject can be in one message, and the link in another one further >> down the file. Boom, we got a hit! :) (Actually, according to your >> prose description, it neither needs to be a (Subject) header, nor an IP >> style link.) >> >> >> Which raises the question if the OP is correct when stating that ClamAV >> knows how to handle mbox files. It sure does not look like that. The >> summary claimed to have scanned one (mbox) file. It did not claim to >> have scanned a bunch of messages, treated individually and applying the >> signatures against each of them -- just a single text/plain file, that >> happens to resemble more than one message. >> >> > > This is my conclusion too, and the question was really thrown out there for > comment > from the SourceFire folks to provide clarification. Given that clamscan knows > where > in the file it is as well as being aware of the construction of it they appear > to be > very close to doing the right thing so it would be surprising to learn they do > not. Cheering from the sidelines: if in fact ClamAV isn't treating the messages in an mbox file separately, then one might conclude that either a. ClamAV is presently the wrong tool for scanning the files in the server mail store, or b. mbox isn't the right form of server mail store if one is using ClamAV to scan the mail store. I don't want to conclude a--I *like* ClamAV. That leaves b, I think. Of course, if one's POP and/or IMAP server only understands mbox, getting away from the problem is "a little harder". --John _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
