Hello, I'm running Mac OS X (10.5.3, up to date), up to date MacPorts and clamav 0.93.1 installed via MacPorts.
clamdscan --version says: ClamAV 0.93.1/7583/Sat Jun 28 08:00:59 2008 Earlier today, I happened to scan my /System/Library/CoreServices with clamdscan, and it came back and said that the file boot.efi was a broken executable. To check, I logged into my office machine and scanned boot.efi there with clamdscan. It did not come up as Broken.Executable. It is the same configuration, and according to MacPorts, the same version of clamav is installed (0.93.1). However, on my office desktop clamdscan --version comes back as 0.93, not 0.93.1. clamscan --version comes back as 0.93.1 though, and the clamav binaries are the same size on both machines. Also, boot.efi is the same size on both machines too. Detect-broken is enabled in clamd.conf on both machines. I also checked to see if clamscan --detect-broken said boot.efi was a Broken.Executable and it did on both machines (laptop and desktop). Last, I scanned boot.efi on a Debian linux machine with clamav and it came up as a broken executable there too. However, it also provided this message, which the MacPorts version did not: LibClamAV Warning: Incorrect magic number in optional header It sounds as though that message is referring to something called a PE (portable executable) file described here: http://win32assembly.online.fr/pe-tut1.html My understanding from other posts on the web, is that this is what the --detect-broken option for clamscan is supposed to detect. It doesn't seem odd (to me) that a boot file would be structured differently than a standard executable, but I really don't know. However, it seems strange that clamdscan doesn't give me the same answer on both my Macs. Questions: - Do you know if boot.efi should be identified as a broken executable and I should ignore it? I think that is the case. Is there any more investigation I should do or other information I can provide? - Any thoughts about why clamdscan and clamscan give different answers on one computer? Thank you in advance for your time and thoughts. And thank you for making clamav available. Brian _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml