On 02/10/2012 03:45 PM, Matthias Egger wrote: > Hello List > > Yesterday we received a lot of "DHL Delivery Notification Messages" with a > zip File as attachment. > > The zip file contains an exe file which is obviously some kind of malware. > > Since clamav let this email pass through i went to the malware submition page > and uploaded this file. The message i received then was, that this file is > still known as malware. > > So why did clamav let the attachment pass trough? > > I found the solution: > > # clamscan -v DHL_Post_oder_Notification-INF6782654.zip > DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND
The detection is based on the filename inside the zip file. > > # clamscan -v DHL_Post_oder_Notification-DATA.exe > DHL_Post_oder_Notification-DATA.exe: OK There is no filename here because you are scanning the file itself, and not a container, hence ClamAV cannot detect the malware with this signature. > > So clamav recognizes the zipfile as malware, but not the containing exe. This > is bad, since amavis does extract the submitted zip file and then checks the > extracted exe file. > > So the question is... how can i fix this? Pass the full email to ClamAV, not just the attachments. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
