> /**
> * @file /magma/providers/external/clamav.c
> *
> * @brief Interface for the ClamAV library.
> *
> * $Author: Ladar Levison $
> * $Date: 2010/08/13 10:32:38 $
> * $Revision: ecaee526d4ba88a141c5b889dd023b13c05c2654 $
> // Scan the message. The OLE code has a bug in it that causes
> segfaults.
What bug ??
> // We ignore email that ClamAV thinks is a phishing
> based on scanner's internal heuristic checks. else if
> (starts_ci_bl_bl("Phishing", 8, virname, ns_get_length(virname)) ||
> starts_ci_bl_bl("Joke", 4, virname, ns_get_length(virname)))
> { pthread_rwlock_unlock(&virus_lock);
> stats_increment_by_name("provider.virus.scan.total");
> stats_increment_by_name("provider.virus.scan.clean"); close(fd);
> return 0; }
This is incorrect, if you want to match the heuristic Phishing
detection use Heuristics.Phishing.
There are signatures which contain *Phishing*, and *Joke*. ClamAV stops
on first match.
So if you get a zip that contains something ClamAV detects as
Phishing/Joke as first element in zip followed a real malware, then it
will only report the first match (Phishing/Joke). Your code will mark
it as clean, when in fact it could be infected.
(Note that this is not the case for Heuristics.Phishing where ClamAV
keeps on scanning and only reports the heuristics if it didn't find
anything else).
The proper way to deal with this is to not load the Phishing signatures
at all, there is an option you can pass to cl_load() for that.
For *Joke* there is no flag that you can pass though.
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
