On Friday 30 July 2004 03:03 am, Martin Blapp wrote: > Clamav is not catching 5 tests, and viri are slipping throuh ! At least > test 8 and 23 are very important to catch I think:
There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which had been defanged), but after investigation was able to easily block the rest by copying a few bits over from the current example filter. From what I can tell, it looks like these would all be detected by a default install of the latest MimeDefang paired with a current Clamd with the ScanMail option enabled. > Test #5: Eicar virus sent using BinHex encoding (this is a rarely used > Macintosh mail format) > > Test #8: Eicar virus sent using BinHex encoding within a MIME segment sent Actually, it's MIMEDefang that doesn't detect these, because it doesn't decode BinHex. So if you're just passing the message parts MD sees to ClamAV, it doesn't have a chance to see them. ClamAV will detect them in the raw message if you have the ScanMail option active in clamav.conf. Take a cue from the current example filter and call md_copy_orig_msg_to_work_dir_as_mbox_file() just before calling message_contains_virus. This way, clamd gets to look at the raw message in addition to the MD-decoded parts and will pick out the binhex attachment. Note that you have to do something in response to this rather than wait for entity_contains_virus, because MD won't see that entity. > Test #22: Eicar virus within zip file hidden using the "MIME > Continuation Vulnerability" (attachment can be opened by all > versions of Microsoft Outlook and Outlook Express) sent > > Test #23: Eicar virus within zip file hidden using the "Empty MIME > Boundary Vulnerability" (attachment can be opened by all versions > of Microsoft Outlook and Outlook Express) Interestingly, after I made that change I discovered that Clam was picking up these two as well. Given the wide range of MIME parsers and malformations that will slip by some and get picked up by others, it's good to have two different implementations scanning your mail. Again, you have to take action on message_contains_virus, and not wait for the per-entity results, because MD will see these as invalid MIME and not as attachments. > Test #25 (non-virus): Attachment with a CLSID extension which may hide the > real file extension. <B>This does not include the Eicar virus</B>, however > your mailserver should still block this since the CLSID technique can be > used to hide the true extension of a malicious file. (attachment can be > opened by any Windows computer) ClamAV has no reason to detect this: it doesn't include a virus. That said, MIMEDefang's default filter_bad_filename should pick this up. It does here. -- Kelson Vibber SpeedGate Communications, <www.speed.net> _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang