Re: [Clamav-users] Re: There is something I dont get here ...
Flynn wrote: There are many ways to do this - using the --mbox option should detect the virus if the _full_ e-mail is scanned by ClamAV. Well - let me clarify this situation very carefully : (v0.70)-clamscan --mbox does *NOT* recognized the _full_ email as a virus. I have experienced the same issue. There is always supposed to be a Received: header but..stuff was being quarantined by amavis that did not have one or be otherwise recognized as mbox.. See mbox-force patch at http://www.jmaimon.com/clamav for an experimental workaround. --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Re: There is something I dont get here ...
On Thursday 06 May 2004 9:46 am, Flynn wrote: > Honest: I am convinced we face a bug here. Have you tried with the latest version in CVS? If so and it still fails, zip the e-mail, password virus, and send me copy. > Rgds, > Flynn -Nigel -- Nigel Horne. Arranger, Composer, Typesetter. NJH Music, Barnsley, UK. ICQ#20252325 [EMAIL PROTECTED] http://www.bandsman.co.uk --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
RE: [Clamav-users] Re: There is something I dont get here ...
> -Original Message- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Flynn > Sent: 6. maj 2004 10:46 > To: [EMAIL PROTECTED] > Subject: [Clamav-users] Re: There is something I dont get here ... > > > There are many ways to do this - using the --mbox option should detect > > the virus if the _full_ e-mail is scanned by ClamAV. > > Well - let me clarify this situation very carefully : > > (v0.70)-clamscan --mbox does *NOT* recognized the _full_ email as a virus. > Sorry, but this is not true. If I add the missing header line: ---snip, header sample--- Received: from some.domain.com (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id CD9322FB24 for <[EMAIL PROTECTED]>; Sun, 14 Mar 2004 06:09:04 +0100 (CET) ---snip--- The result is: ---snip--- [EMAIL PROTECTED] virus]# clamscan --mbox ./virus.eml ./virus.eml: Worm.SomeFool.Gen-1 FOUND --- SCAN SUMMARY --- Known viruses: 21425 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 1.656 sec (0 m 1 s) --snip--- > snapshot-clamscan --mbox does *NOT* recognized the _full_ email as a > virus. > clamscan --mbox does *NOT* recognized the included corrupted email as a > virus. > clamscan does recognized the included script (the virus itself) as a > virus. > Hmm, again I'm able to detect the virus. Extract of the binary: ---snip--- [EMAIL PROTECTED] virus]# reformime -e -s 1.2 < virus.eml > virus.bin [EMAIL PROTECTED] virus]# clamscan ./virus.bin ./virus.bin: Worm.SomeFool.Gen-1 FOUND --- SCAN SUMMARY --- Known viruses: 21425 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.02 MB I/O buffer size: 131072 bytes Time: 1.358 sec (0 m 1 s) ---snip--- > > Honest: I am convinced we face a bug here. > I'm not, but you're welcome to submit the _full_ e-mail (I suspect the sample I'm looking at is only a partial bounced sample) :-) Best regards, Diego d'Ambra smime.p7s Description: S/MIME cryptographic signature
[Clamav-users] Re: There is something I dont get here ...
> There are many ways to do this - using the --mbox option should detect > the virus if the _full_ e-mail is scanned by ClamAV. Well - let me clarify this situation very carefully : (v0.70)-clamscan --mbox does *NOT* recognized the _full_ email as a virus. snapshot-clamscan --mbox does *NOT* recognized the _full_ email as a virus. clamscan --mbox does *NOT* recognized the included corrupted email as a virus. clamscan does recognized the included script (the virus itself) as a virus. Fprot does recognize tha _full_ email as a virus Fprot does recognized the included corrupted email as a virus. Fprot does recognized the included script (the virus itself) as a virus. your on-line scanner does recognize tha _full_ email as a virus your on-line scanner does *NOT* recognized the included corrupted email as a virus. I suppose that your on-line scanner does recognized the included script (the virus itself) as a virus. Honest: I am convinced we face a bug here. Rgds, Flynn --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
