Re: [exim] Problem with ClamAV scan

Top Page
Delete this message
Reply to this message
Author: Wakko Warner
Date:  
To: Luca Bertoncello
CC: exim-users
Subject: Re: [exim] Problem with ClamAV scan
Luca Bertoncello wrote:
> Tom Kistner <tom@???> schrieb:
> > Is "ScanMail" enabled in your clamd config (It is enabled by default, so
> > you'd have to explicitly turn it off).
>
> Yes, of course!
>
> > If it is enabled, forward the original sample to the ClamAV team.
>
> But ClamAV knows this virus! If I get the E-Mail, save the .zip on my disk,
> and then send another E-Mail with the same .zip, then ClamAV says that my
> E-Mail is a virus!
>
> What can I do?


I was hit by something like this at work with a content scanner I wrote (it
uses mcafee uvscan for virus scanning) I found out that the virus puts
various length lines in the base64 encoded part (not always in pairs of 4).
Outlook handled it, but mine didn't. This may be the same thing. After a
few minutes of rewriting my base64 handler, it finds the virus everytime.

I don't have any examples ,but I'd see some lines being 2-3 characters long
while others were 67 (guess). It was definately badly formed and it worked
at bypassing the scanner. Fortunately the local AV on the PC caught it.

You can try to hand craft a message with a base64 virus attachement and
randomly break the line into 2 or more lines (preferably where the line
is not a multiple of 4 characters) and see if it finds a virus in it.

--
Lab tests show that use of micro$oft causes cancer in lab animals
Got Gas???