Hi, I created a local pdb database so I can catch phishing attempts when URLs in an email display our domain name but actually link to a malicious URL. In testing, I found something that I don't understand.
When I run clamdscan on a test message it correctly detects a spoofed domain in the message. When my MTA connects to the clamd socket and asks it to scan the same exact message, it does not detect it. I ran into a very similar problem before with a gdb database and never did figure it out. The big difference that I notice in looking at libclamav debug output is that when I ran clamdscan it detects it to be an email message and it calls cli_scanmail(): LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type Mail file LibClamAV debug: cache_check: 2abdd56b32d91583175dfd071e7019d1 is negative LibClamAV debug: Starting cli_scanmail(), recursion = 1 However, when my MTA connects to clamd it does not: LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: cache_check: 94e3a1ba1c23e73cb98e9a8e8a801479 is positive LibClamAV debug: cli_magic_scandesc: returning 0 at line 2791 (no post, no cache) LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16) LibClamAV debug: Recognized ASCII text LibClamAV debug: Matched signature for file type HTML data.UNOFFICIAL LibClamAV debug: cache_check: f82c03beb094dd4a77cd3074ce327601 is positive Oh, this is version: ClamAV 0.99.1/21471/Wed Mar 23 19:48:37 2016 Any thoughts? Thanks! Dave _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
