Re: [Exim] ClamAV + exiscan missing virus

Top Page
Delete this message
Reply to this message
Author: Andreas Gietl
Date:  
To: Sheldon Hearn, exim-users
CC: Tom Kistner
Subject: Re: [Exim] ClamAV + exiscan missing virus
On Monday 03 November 2003 09:58, Sheldon Hearn wrote:

MY configuration catches it. TRy to acticate demime, this might help.

> Hi folks,
>
> My exim-4.24 w/ exiscan-acl patch 13 and clamav-0.60 installation is
> letting the Worm.Mimail.C virus through.
>
> The virus is inside a zipfile, MIME-attached to messages. The zipfile
> is available for testing:
>
>     http://mail.gambling.com/photos.zip

>
> When I scan the file manually, I get:
>
>     # clamscan /tmp/photos.zip
>     /tmp/photos.zip: File size limit exceeded.
>     /tmp/photos.zip: Worm.Mimail.C FOUND
>     ...

>
> However, the following ACL just isn't catching it:
>
>   # Reject virus infested messages.
>   deny  message = This message contains malware ($malware_name)
>         demime = *
>         malware = *

>
> This ACL _does_ catch other viruses (about 90 to 200 a day when there
> isn't a major crisis going on).
>
> I suspect that exiscan-acl needs to learn to ignore the "File size limit
> exceeded" message. I've no idea why the message is issued in the first
> place, since I have this in my clamav.conf file:
>
>     ArchiveMaxFileSize 10M

>
> However, unzip(1) gives me:
>
>   $ unzip photos.zip
>   Archive:  photos.zip
>   warning [photos.zip]:  2 extra bytes at beginning or within zipfile
>     (attempting to process anyway)
>   file #1:  bad zipfile offset (local header sig):  2
>     (attempting to re-compensate)
>    extracting: photos.jpg.exe

>
> So perhaps clamav is just getting confused.
>
> Regardless, could we have exiscan-acl ignore messages like this and scan
> the entire response for FOUND messages?
>
> Ciao,
> Sheldon.
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##


--
e-admin internet gmbh
Andreas Gietl                                            tel +49 941 3810884
Ludwig-Thoma-Strasse 35                      fax +49 (0)1805/39160 - 29104
93051 Regensburg                                  mobil +49 171 6070008


PGP/GPG-Key unter http://www.e-admin.de/gpg.html