Hi folks,
My exim-4.24 w/ exiscan-acl patch 13 and clamav-0.60 installation is letting
the Worm.Mimail.C virus through.
The virus is inside a zipfile, MIME-attached to messages. The zipfile
is available for testing:
http://mail.gambling.com/photos.zip
When I scan the file manually, I get:
# clamscan /tmp/photos.zip
/tmp/photos.zip: File size limit exceeded.
/tmp/photos.zip: Worm.Mimail.C FOUND
...
However, the following ACL just isn't catching it:
# Reject virus infested messages.
deny message = This message contains malware ($malware_name)
demime = *
malware = *
This ACL _does_ catch other viruses (about 90 to 200 a day when there
isn't a major crisis going on).
I suspect that exiscan-acl needs to learn to ignore the "File size limit
exceeded" message. I've no idea why the message is issued in the first
place, since I have this in my clamav.conf file:
ArchiveMaxFileSize 10M
However, unzip(1) gives me:
$ unzip photos.zip
Archive: photos.zip
warning [photos.zip]: 2 extra bytes at beginning or within zipfile
(attempting to process anyway)
file #1: bad zipfile offset (local header sig): 2
(attempting to re-compensate)
extracting: photos.jpg.exe
So perhaps clamav is just getting confused.
Regardless, could we have exiscan-acl ignore messages like this and scan
the entire response for FOUND messages?
Ciao,
Sheldon.
