Hi On Thu, 4 Nov 2004, [ISO-8859-2] Bogus�aw Brandys wrote:
> > I noticed a suspicious message containing the attachment "message.pif", > > which was not flagged by ClamAV as being a virus. I scanned the message > > manually using clamscan -m. The result was: > > > > LibClamAV Warning: Broken PE header detected. > > message.pif: OK > They are flaged as Broken.Executable althought option for this is not > default.In my opinion You should test it using other tools ;-) I wouldn't want it allowed through anyway, so am happy to get it deteced as Broken.Executable. Thanks for the tip. I have enabled ScanOptions="--detect-broken" in the clamav-wrapper used by MailScanner and then I can also trap the output to decide whether or not to deliver such cleaned messages to users. > By the way : this is interesting if clamav should flag broken PE files > cointaing malware body as broken or as malware. What "other tools" do in > this case ? Not sure. If particular worms do generate broken executables however, surely they would still have a pattern to them that could be recognised, in which case it would be desirable for ClamAV to report them as say Klez (or whatever worm created them) rather than generically as broken executables (which category could possibly just include genuine but corrupted software). Regards Jim Holland System Administrator MANGO - Zimbabwe's non-profit e-mail service _______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
