Richard, > I have created a custom signature of a zip file using the clamav sigtool > utility. I then add this into a file called custom.hdb in /var/lib/clamav. > > Running clamscan test.zip tells me that the file is infected with test.zip. > Running clamdscan tells me that the file is infected with test.zip. > Mailing this zip file as an attachment passes through without incident - > though amavis is definitely pointed at the same clamd instance and will > detect other malware instances - so it's definitely not a ClamAV issue. > It's all very weird. > > My current thinking is that it's something weird with amavis unpacking the > zip file into its constituent parts? I know that amavisd-new will unpack > archives into a temp folder and scan the files individually, though does it > scan the archive as a whole (meaning that my md5 hash will match the zip > file itself)?
> I have looked over the documentation for the means to have amavisd-new > leave the temporary files for me to check what is actually being scanned. > Is there some config option I'm missing somewhere? Do I have to tell > amavis to explicitly scan the zip file itself as well as the unpacked > parts. If archive unpacking is successful (no errors or unexpected warnings from dearchiver), the archive is deleted and only its members retained for AV scanning. That is so, UNLESS @keep_decoded_original_maps tells otherwise: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if undecipherable qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, qr'^Zip archive data', # don't trust Archive::Zip )); amavisd-new-20021116 release notes: - provide a configurable lookup table $keep_decoded_original_re of file types, for cases where unpacker is not very trustworthy. The lookup key is what 'file' utility returned. If the part contents match the lookup table, we keep both the original and the unpacked file for virus scanner to check; So if AV scanner only contains a signature for a compressed archive but not for its memebers, it may not detect malware. Mark ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
