Michael Scheidell wrote the following on 6/15/2007 12:54 PM -0800: >> -----Original Message----- >> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] On Behalf >> Of Bill Landry >> Sent: Friday, June 15, 2007 3:51 PM >> To: [email protected] >> Subject: Re: [AMaViS-user] Someone missed a virus.. >> >> Michael Scheidell wrote the following on 6/15/2007 12:27 PM -0800: >> Thanks for reporting this one Michael, malware distributors >> are getting more creative all the time. Just as an FYI, >> since I am using the recent "$bypass_decode_parts = 1" >> feature that disables all decoding by amavisd-new and instead >> passes the raw messages to the virus scanner(s) and relies on >> the decoding supported by the virus scanner itself. In this >> case I run both clamd and f-prot, and both were able to >> detect the trojan inside the .doc file, without any decoding >> on the part of >> amavisd-new: >> >> F-Prot: >> /var/quarantine/virus/virus-TO4HclB5j1Sz->Proforma_Invoice.doc >> > ->Proforma_Invoice.exe > >> is a security risk named W32/Dropper.ESR >> >> ClamD: >> /var/quarantine/virus/virus-TO4HclB5j1Sz: Trojan.Dropper-1047 FOUND >> >> Thanks again, Mark, for adding the ability to bypass all >> decoding in amavisd-new, it seems to be working fine for me thus far. >> > > Yes, but you only got that because I reported it to clamav at CA: > > (I use clamav, and at the time, it wasn't in the file: > > If you had checked that earlier (before daily/3430) you would have > missed it. > I don't disagree. My comment was more toward the fact that many virus scanners now support mime decoding and file unpacking themselves and thus the decoding feature of amavisd-new can be disabled (meaning no need to install and use unpackers within amavisd.conf, like ripole), which also possibly removes the requirement to try and work around files embedded in other files or mis-labeled file formats within amavisd.conf.
Anyway, it was simply an observation on my part. Bill ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
