amavisd-new result is clean but clamav manual scan result is infected

Mark Martinec Mark.Martinec+amavis at
Sat Nov 19 02:31:23 CET 2011


> The e-mail has an attachment
> ""
> I upload the attachment to, and it was already detected as
> Email.Trojan-268. So I thought my CLAMAV pattern is not updated,  but it
> was. And actually, scanning the file manually yields infected virus result:
> #clamdscan DHL\ Express\ Notification\ for\ shipment\ \
> 84302695681014952HG5V.eml
> /tmp/DHL Express Notification for shipment  84302695681014952HG5V.eml:
> Email.Trojan-268 FOUND
> I have tried this several times and still, amavisd-new's result is CLEAN
> while manual scan says infected. In fact the trendmicro engine I am
> using side-by-side with amavisd just recently been updated and it's
> detecting the virus as  TSPY_ZBOT.HNF, and finally amavisd-new is
> catching this as infected but only by the trendmicro scanner.
> Here is the debug output:
> How is it possible that amavisd-new is resulting "clean" while manual
> scan of CLAMAV is resulting "infected"?

Thanks for the debug. I don't see anything obviosly wrong there.

The second part (after the first empty text/plain part) is

> p002 1/2 Content-Type: message/rfc822, size: 262932 B, name:
>   DHL Express Notification for shipment  84302695681014952HG5V.eml

> result line from file(1): p002: smtp mail text\n

Namely, both the MIME type, as well as the file(1) utility
claim that the part is an attached e-mail message (message/rfc822),
despite you saying that it was suposed to be a zip.

Dan wrote:
> Do you have @keep_decoded_original_maps set up to scan the whole message?
> @keep_decoded_original_maps = (new_RE(
>   qr'^MAIL$',   # retain full original message for virus checking

Yes he does, as seen from the log:

(32557-02) lookup_re("MAIL") matches key "(?-xism:^MAIL$)", result="1"
(32557-02) lookup [keep_decoded_original] => true,  "MAIL" matches,
  result="1", matching_key="(?-xism:^MAIL$)"
(32557-02) Issued a new file name: p005
(32557-02) presenting full original message to scanners as

So regardless of potential problems in mis-decoding, at least
the full message should have been passed to clamd and detected.

Perhaps the log shows your later test where you attached the
sample message wrapped as an message/rfc822 attachent, instead of
re-sending the original message.


More information about the amavis-users mailing list