Hi all
I have searched the archives without success for some information on this
problem. I have recently upgraded to ClamAV 0.80, and am running it via
MailScanner on a RedHat 7.1 server.
I noticed a suspicious message containing the attachment "message.pif",
which was not flagged by ClamAV as being a virus. I scanned the message
manually using clamscan -m. The result was:
LibClamAV Warning: Broken PE header detected.
message.pif: OK
----------- SCAN SUMMARY -----------
Known viruses: 26187
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
I/O buffer size: 131072 bytes
Time: 33.388 sec (0 m 33 s)
I get a similar result if the extracted file itself is scanned directly.
The attachment is clearly malware (the message looks like a Klez virus).
MailScanner checks the OK and then regards the file as being virus-free
(fortunately it then goes on to block it because of the file name, but
that is besides the point). Is the above report an error with ClamAV, or
is the file actually harmless because of the broken PE header? Would it
not be desirable for ClamAV to flag such files as being viruses (even if
they are broken)?
Regards
Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service
_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
