On Thu, 16 Feb 2017 21:21:06 +0100 Reindl Harald <[email protected]> wrote:
> Am 16.02.2017 um 21:17 schrieb Mark Foley: > > I am running a scheduled clamscan on the IMAP mail folders. The command is: > > > > /usr/local/bin/clamscan -a --detect-pua=yes --no-summary --stdout > > --infected \ > > --recursive --allmatch --scan-mail=yes --scan-ole2=yes /home/HPRS/ > > > > This scan turns up the following: > > > > > > /home/HPRS/dsmith/Maildir/.Sent > > Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S: > > Win.Trojan.DarkKomet-5711346-0 FOUND > > > > /home/HPRS/dsmith/Maildir/.Sent > > Items/cur/1424639819.M717944P16540.mail,S=1444158,W=1463348:2,S!...!(72)MAIL:SEC_deficiency_letter_to_Timbervest.pdf: > > Win.Trojan.DarkKomet-5711346-0 FOUND > > > > This email has 4 .pdf attachments. When I run clamscan manually on any of > > them > > I get no infections: > > > > $ clamscan --detect-pua=yes --scan-ole2=yes 2011.06.08\ Notification\ of\ > > Distribution.pdf > > 2011.06.08 Notification of Distribution.pdf: OK > > why --scan-ole2=yes when you scan a pdf? > --scan-pdf makes more sense For hopefully consistent results, I was using the same clamscan switches the schedule clamscan job used. With those switches (plus --scan-mail=yes) the scheduled clamscan found the infections. I didn't use --scan-mail=yes in my manual test because I had unpacked the attachments from the email. In any case, running clamscan --scan-pdf also turned up no infections: So the question stands, Why does it find infections when run on the mail file, but not on the attachments (or mail body text) when run manually? --Mark _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
