I'm cross-posting this message from the MailScanner mailing list because I think folks here might be interested in it. If anyone needs a copy of that zip please let me know.
Kevin On Wed, 2003-11-05 at 02:04, Chris Yuzik wrote: > Hi everyone, > > No sooner do we (well...Julian) come out a workaround for the extra status > line that ClamAV was spitting out than another virus using similar zip-header > trickery to sneak through our scanners. > > Worm.Mimail.G arrives in a zip file called "readnow.zip" that strangely gets a > simple "OK" from clamscan, and the virus goes right through. After some > experimenting, I've figured out that the virus will happily unzip with the > console unzip tool, but complains with the following message: > > # unzip readnow.zip > Archive: readnow.zip > warning [readnow.zip]: 3 extra bytes at beginning or within zipfile > (attempting to process anyway) > file #1: bad zipfile offset (local header sig): 3 > (attempting to re-compensate) > extracting: readnow.doc.scr > > After reading the man page for clamscan, I came across an option that disables > clamscan's internal archive tools. When I typed "clamscan --disable-archive > readnow.zip" I got the expected response of "readnow.zip: Worm.Mimail.G > FOUND". > > Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and > removing the "--unzip" option and replacing it with "--disable-archive"? Am I > on the right track? > > Thanks, > Chris > -- BMRB International http://www.bmrb.co.uk +44 (0)20 8566 5000 _________________________________________________________________ This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business. ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
