On Monday 03 November 2003 09:58, Sheldon Hearn wrote:
MY configuration catches it. TRy to acticate demime, this might help.
> Hi folks,
>
> My exim-4.24 w/ exiscan-acl patch 13 and clamav-0.60 installation is
> letting the Worm.Mimail.C virus through.
>
> The virus is inside a zipfile, MIME-attached to messages. The zipfile
> is available for testing:
>
> http://mail.gambling.com/photos.zip
>
> When I scan the file manually, I get:
>
> # clamscan /tmp/photos.zip
> /tmp/photos.zip: File size limit exceeded.
> /tmp/photos.zip: Worm.Mimail.C FOUND
> ...
>
> However, the following ACL just isn't catching it:
>
> # Reject virus infested messages.
> deny message = This message contains malware ($malware_name)
> demime = *
> malware = *
>
> This ACL _does_ catch other viruses (about 90 to 200 a day when there
> isn't a major crisis going on).
>
> I suspect that exiscan-acl needs to learn to ignore the "File size limit
> exceeded" message. I've no idea why the message is issued in the first
> place, since I have this in my clamav.conf file:
>
> ArchiveMaxFileSize 10M
>
> However, unzip(1) gives me:
>
> $ unzip photos.zip
> Archive: photos.zip
> warning [photos.zip]: 2 extra bytes at beginning or within zipfile
> (attempting to process anyway)
> file #1: bad zipfile offset (local header sig): 2
> (attempting to re-compensate)
> extracting: photos.jpg.exe
>
> So perhaps clamav is just getting confused.
>
> Regardless, could we have exiscan-acl ignore messages like this and scan
> the entire response for FOUND messages?
>
> Ciao,
> Sheldon.
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim
> details at http://www.exim.org/ ##
--
e-admin internet gmbh
Andreas Gietl tel +49 941 3810884
Ludwig-Thoma-Strasse 35 fax +49 (0)1805/39160 - 29104
93051 Regensburg mobil +49 171 6070008
PGP/GPG-Key unter
http://www.e-admin.de/gpg.html
