On Tue, 16 Mar 2004 11:55:33 +1100 Jonathan Trott <[EMAIL PROTECTED]> wrote:
> Tomasz Kojm <[EMAIL PROTECTED]> wrote on 12/03/2004 00:07:01: > > > On Thu, 11 Mar 2004 12:49:36 +1100 > > Jonathan Trott <[EMAIL PROTECTED]> wrote: > > > > > At the moment, if you put any virus inside an encrypted zip file, > > > clamav reports that there isn't a virus in there, which is a false > > > > > > negative. Better to report that it couldn't be scanned than there > > > wasn't a virus in there. > > > > No, that's definitely not a false negative. Password protected > > viruses are not dangerous (and not interesting to us) as long as > > they don't distribute the password. But anyway you should check the > > --detect-encrypted option (CVS). > > How can you determine that the password is being distributed with the > message? How about the situation where a malicious hacker is trying to We can't. We only detect encrypted archives. > introduce a trojan into the network via email that contains a password > > protected zip file with the trojan inside? There wouldn't be a > "password in the email" signature for that situation and clamav would > have passed it as clean! Clamav should (as I assume the CVS option now > does) report that the file could not be scanned, and let who/whatever > has called clamav process the file as it sees fit. Do anything but Actually that's the way clamav works. Also it always scans a raw file (that's why our generic signature for Bagle zips work). -- oo ..... Tomasz Kojm <[EMAIL PROTECTED]> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Tue Mar 16 09:56:22 CET 2004
pgp00000.pgp
Description: PGP signature
