Wouldn't a better and more long term idea be to get clamav to return an error code or message when it has an unscannable file? When a zip (or other archive type) is corrupt, or password protected, etc. This would allow the software that is using clamav for virus scanning to make it's own decision as to whether it wishes to quarantine or pass the virus based on this.> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:clamav-users- > [EMAIL PROTECTED] On Behalf Of Erik Corry > Sent: 2. marts 2004 09:10 > To: [EMAIL PROTECTED] > Subject: Re: [Clamav-users] password protected zip file > > On Tue, Mar 02, 2004 at 03:07:31PM +0800, kengheng wrote: > > Hi, Can clamav detected those virus that is protected by a password in a > zipped file? > > No >
I would say "maybe". It's impossible to detect the encrypted zip file, but a signature was added yesterday that will match e-mails with the Bagle-F or Bagle-H zip attachment (Worm.Bagle.F-zippwd).
So you should allow ClamAV also to scan the e-mail.
BTW: I'm currently working on adding a second signature that will detect
a variant of these e-mails.
This would mean you don't need to hack together a signature for each individual zip file archive, it would be detected as encrypted and stopped as a matter of email gateway policy.
At the moment, if you put any virus inside an encrypted zip file, clamav reports that there isn't a virus in there, which is a false negative. Better to report that it couldn't be scanned than there wasn't a virus in there.
Thanks,
JT
smime.p7s
Description: S/MIME cryptographic signature
