Hi all
I have searched the archives without success for some information on this problem. I have recently upgraded to ClamAV 0.80, and am running it via MailScanner on a RedHat 7.1 server.
I noticed a suspicious message containing the attachment "message.pif",
which was not flagged by ClamAV as being a virus. I scanned the message manually using clamscan -m. The result was:
LibClamAV Warning: Broken PE header detected. message.pif: OK
----------- SCAN SUMMARY ----------- Known viruses: 26187 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.01 MB I/O buffer size: 131072 bytes Time: 33.388 sec (0 m 33 s)
I get a similar result if the extracted file itself is scanned directly.
The attachment is clearly malware (the message looks like a Klez virus). MailScanner checks the OK and then regards the file as being virus-free
(fortunately it then goes on to block it because of the file name, but
that is besides the point). Is the above report an error with ClamAV, or
is the file actually harmless because of the broken PE header? Would it not be desirable for ClamAV to flag such files as being viruses (even if they are broken)?
They are flaged as Broken.Executable althought option for this is not default.In my opinion You should test it using other tools ;-)
By the way : this is interesting if clamav should flag broken PE files cointaing malware body as broken or as malware.What "other tools" do in this case ?
Regards Boguslaw Brandys
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
