On 02/10/2012 05:08 PM, Matthias Egger wrote: > Hello Edwin > > Thank you for your reply. > > On 10.02.2012 15:06, Török Edwin wrote: >>> # clamscan -v DHL_Post_oder_Notification-INF6782654.zip >>> DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND >> >> The detection is based on the filename inside the zip file. > I am curious... isn't this relay unsafe? > > I have just checked a second of these DHL emails. The Subject and the ZIP > Name was different, but the content was the same file. So what happens if a > spammer not only changes the subject and zip-name > but also changes everytime the filename of the exe? > > Would it not make sense to use something like an md5 sum of the exe file? I > think the effort to change the names of the exe is much lower than changing > the malware for every email. > > But hey... i am just thinking loud... I don't want to step on anybody's feet. > As i said... i am just curious.
-zippwd means that sometimes the file is encrypted. In that case obviously we cannot know the md5 of the extracted file because we cannot extract it, so filename is only thing left. > >>> So the question is... how can i fix this? >> >> Pass the full email to ClamAV, not just the attachments. > > Hmm... okay, i give a look on it. > > Thank you Edwin! > > Best regards > Matthias _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
