amavisd-new result is clean but clamav manual scan result is infected
Kenneth Oncinian
kenneth.oncinian at ph.panasonic.com
Mon Nov 21 01:44:09 CET 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> So regardless of potential problems in mis-decoding, at least the
> full message should have been passed to clamd and detected.
>
> Perhaps the log shows your later test where you attached the sample
> message wrapped as an message/rfc822 attachent, instead of
> re-sending the original message.
>
> Mark
Hi Mark,
Good morning.
Yes you are correct, it was the later test that i have conducted,
sorry about that. Also, this is maybe the reason why amavisd-new is
passing it as clean. CLAMAV does not detect the attachment as
infected, but only if it was scanned as a full *.eml file. Here are
the results of CLAMAV scanning the *.eml against the scanning of the
attachment only.
# clamdscan DHL\ Express\ Notification\ for\ shipment\ \
84302695681014952HG5V.eml
/tmp/DHL Express Notification for shipment 84302695681014952HG5V.eml:
Email.Trojan-268 FOUND
# clamdscan Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip
/tmp/Delivery_Notification_DHL_EXPRESS-9493SND21ZJJA8I24.zip: OK
# clamdscan Delivery_Notification_DHL_EXPRESS.exe
/tmp/Delivery_Notification_DHL_EXPRESS.exe: OK
However, since i was passing the full message to amavisd-new,
(qr'^MAIL$',) still clamav did not scanned it as an *.eml file?
thanks so much,
Kenneth
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOyZ7SAAoJENQ/v+Lg/51Dy9YIAKDwXTM4fvwCT1Tb2Xe9BrL6
dZG+2WlUmw3qAwGxx3dGeUaGD3g0r0qEPRZP+/F7ttiE8HmNPmSVmy1/3sS+y9R6
AWnvuynWxb4IomuLqidBNn1wRsHHqT88NL2YosUpWD+Q2fSJI0+0/0JbhO3+6Lhn
Fo6bdIu1J1KhhP8w8Ic85ERgQyDBKOFkJ8ZgUkZakYvJFTg44m1IeTjYoMoEiiL/
N/wgyt3vy4HLUcAwriCTZH3s4iQ4pyAyxtnRgIHdgeeFPfFxs3jCUqu0+mpyCcNb
DbhfoAsvI+/4zv5LdpjJlX+QzHzW+0p/21HLNYMoIYMnEeaLwIydxQ/bEmT3OKo=
=P/Ki
-----END PGP SIGNATURE-----
More information about the amavis-users
mailing list