[Exim] ClamAV + exiscan missing virus

Góra strony
Delete this message
Reply to this message
Autor: Sheldon Hearn
Data:  
Dla: exim-users
CC: Tom Kistner
Temat: [Exim] ClamAV + exiscan missing virus
Hi folks,

My exim-4.24 w/ exiscan-acl patch 13 and clamav-0.60 installation is letting
the Worm.Mimail.C virus through.

The virus is inside a zipfile, MIME-attached to messages. The zipfile
is available for testing:

    http://mail.gambling.com/photos.zip


When I scan the file manually, I get:

    # clamscan /tmp/photos.zip
    /tmp/photos.zip: File size limit exceeded.
    /tmp/photos.zip: Worm.Mimail.C FOUND
    ...


However, the following ACL just isn't catching it:

  # Reject virus infested messages.
  deny  message = This message contains malware ($malware_name)
        demime = *
        malware = *


This ACL _does_ catch other viruses (about 90 to 200 a day when there
isn't a major crisis going on).

I suspect that exiscan-acl needs to learn to ignore the "File size limit
exceeded" message. I've no idea why the message is issued in the first
place, since I have this in my clamav.conf file:

    ArchiveMaxFileSize 10M


However, unzip(1) gives me:

  $ unzip photos.zip
  Archive:  photos.zip
  warning [photos.zip]:  2 extra bytes at beginning or within zipfile
    (attempting to process anyway)
  file #1:  bad zipfile offset (local header sig):  2
    (attempting to re-compensate)
   extracting: photos.jpg.exe


So perhaps clamav is just getting confused.

Regardless, could we have exiscan-acl ignore messages like this and scan
the entire response for FOUND messages?

Ciao,
Sheldon.