> > Unless you separate the mbox file(s) into maildir files and then you get exactly what > > you expect. It is, however, an annoying additional step one must take to > > ensure > > systems are as secure as possible. > > Of course. However, I got the impression that neither of the recent > reporters does this additional step. Also, this gets even more annoying > (and maybe impossible) when dealing with PST files (which one of the OPs > does). >
Hi, if one of those reporters is me, I don't "advocate" doing what I do. I was justifying why I do it :-). My server is mostly idle, and being paranoid doesn't hurt. My main original complain was not that clamav was not separating and showing individual emails (I already knew that that's how it does), but that the FreeGame signature was way too prone to false positives. That signature, coupled with the monolithic mbox scan, created most (if not all) of my false alarms, but I filed a sample file for the false positive, not a "bug" for the monolithic scanning. To me, is more logical/easier/less annoying to explode the mboxes ONLY if something is found in them instead of exploding all the mboxes to scan them (in 99.842% of the cases, they will be clean anyway). I scan not only the spool, but the personal user mbox files, created by openwebmail. In the two occasions clamav found problems in the mboxes (one being this FreeGame, other a (false) phishing alarm), I just used a one-liner "perl -e" to narrow down to the minimum chunk of mbox which produced the alarm. Down to details, dichotomy didn't work well for FreeGame, because the "top" and "bottom" of the FreeGame signature were too far apart. Instead the one-liner progressively chopped the top and bottom of the file, and produced a "minimum" chunk (in the FreeGame's case, the first and last lines were what mattered). Not sure if that would work with PST (didn't have to dig any PST yet). In the FreeGame case, I just removed the signature from daily.ndb. In the false phishing alarm, I edited the user mbox in vi (it was a "for more information about amazon.com" link pointing to the amazon.com page of a news site, not "www.amazon.com"). Changed the amazon.com to amazon,com (which is what I'd do if I was a phisher). Again, I am not "advocating" that vi is the tool to fix mbox false alarms on the 100000+ users ISP the guy next door runs. I did that in the 50-some users network I administer in my free time (my company has no formal IT department nor dedicated IT personnel). I just replied to a guy who had the same false alarm as me, since I already had found the workaround (and had submitted the sample false positive file). Then the wrath of heavens broke down on me. Sorry, Joao S Veiga _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
