amavisd-new result is clean but clamav manual scan result is infected
Mark Martinec
Mark.Martinec+amavis at ijs.si
Sat Nov 19 02:31:23 CET 2011
Kenneth,
> The e-mail has an attachment
> "Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip"
>
> I upload the attachment to clamav.net, and it was already detected as
> Email.Trojan-268. So I thought my CLAMAV pattern is not updated, but it
> was. And actually, scanning the file manually yields infected virus result:
>
> #clamdscan DHL\ Express\ Notification\ for\ shipment\ \
> 84302695681014952HG5V.eml
> /tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
> Email.Trojan-268 FOUND
>
> I have tried this several times and still, amavisd-new's result is CLEAN
> while manual scan says infected. In fact the trendmicro engine I am
> using side-by-side with amavisd just recently been updated and it's
> detecting the virus as TSPY_ZBOT.HNF, and finally amavisd-new is
> catching this as infected but only by the trendmicro scanner.
>
> Here is the debug output: http://pastebin.com/f8DSt4qD
>
> How is it possible that amavisd-new is resulting "clean" while manual
> scan of CLAMAV is resulting "infected"?
Thanks for the debug. I don't see anything obviosly wrong there.
The second part (after the first empty text/plain part) is
unusual:
> p002 1/2 Content-Type: message/rfc822, size: 262932 B, name:
> DHL Express Notification for shipment 84302695681014952HG5V.eml
> result line from file(1): p002: smtp mail text\n
Namely, both the MIME type, as well as the file(1) utility
claim that the part is an attached e-mail message (message/rfc822),
despite you saying that it was suposed to be a zip.
Dan wrote:
> Do you have @keep_decoded_original_maps set up to scan the whole message?
> @keep_decoded_original_maps = (new_RE(
> qr'^MAIL$', # retain full original message for virus checking
Yes he does, as seen from the log:
(32557-02) lookup_re("MAIL") matches key "(?-xism:^MAIL$)", result="1"
(32557-02) lookup [keep_decoded_original] => true, "MAIL" matches,
result="1", matching_key="(?-xism:^MAIL$)"
(32557-02) Issued a new file name: p005
(32557-02) presenting full original message to scanners as
/var/lib/amavis/tmp/amavis-20111118T143926-32557/parts/p005
So regardless of potential problems in mis-decoding, at least
the full message should have been passed to clamd and detected.
Perhaps the log shows your later test where you attached the
sample message wrapped as an message/rfc822 attachent, instead of
re-sending the original message.
Mark
More information about the amavis-users
mailing list