On 2009-12-09 19:19, Alvaro Jimenez Cabrera EXT wrote: > Hello list, > > Lately, we are experiencing some strange behaviour with clamd using socket > communication mode with amavis-new > > When a zip file with trojan binary inside is sent by an evil sender, > sometimes clamd marks it like CLEAN. > > After of doing some investigation, we realised next two things: > > This zipped file is not detected like trojan > unzip -v winner.zip > Archive: winner.zip > Length Method Size Ratio Date Time CRC-32 Name > -------- ------ ------- ----- ---- ---- ------ ---- > 19456 Defl:X 16271 16% 11-06-09 00:46 14a246d9 winner.exe > -------- ------- --- ------- > 19456 16271 16% 1 file > > > This one is detected smoothly > unzip -v pru/winner.zip > Archive: pru/winner.zip > Length Method Size Ratio Date Time CRC-32 Name > -------- ------ ------- ----- ---- ---- ------ ---- > 19456 Defl:N 16277 16% 11-06-09 00:46 14a246d9 winner.exe > -------- ------- --- ------- > 19456 16277 16% 1 file > > >
Does 0.95.3 detect it properly? The zip code has undergone some changes after 0.92... > As you can see, the main differences between the two zip files is the deflate > method (X method is not detected by clamd and N method is detected ok). > > About our architecture: > we have debian 4.0 and the following clamd and apps version: > > balth...@mailfilter04:~$ dpkg -l | grep -E 'zlib|clam' > ii clamav 0.91.2-3 antivirus > scanner for Unix > ii clamav-base 0.91.2-3 base package > for clamav, an anti-virus utili > ii clamav-daemon 0.91.2-3 antivirus > scanner daemon > ii clamav-freshclam 0.91.2-3 downloads > clamav virus databases from the In > rc libclamav1 0.88.7-0volatile1 virus > scanner library > ii libclamav2 0.91.2-3 virus > scanner library > ii zlib1g 1.2.3-13 compression > library - runtime > ii zlib1g-dev 1.2.3-13 compression > library - development > > We are forced to use this version of this application because they are > tightly integrated with other inherited custom programs > Aren't packages for those programs available that work with some newer ClamAV? If all they do is communicate with clamd, that should work with 0.95.3 too. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
