> El 28/02/2017 a las 19:15, Noel Jones escribió:
>> On 2/28/2017 11:35 AM, Carlos Velasco wrote:
>>
>> Anyway, the main question remains unanswered... is there any way to force
>> the scan as mail (overriding the magic for the first recursion)?
>>
>
>
> Clam uses the daily.ftm file to decide what type of scanning to use.
> Generally, clam looks for a Received: line or a few other common
> mail headers in the first few bytes of the file. Apparently those
> common headers are too far into your file.
>
> You can create a local.ftm with your unusual headers in it to cause
> these files to be detected as an email. I don't see my notes for
> the .ftm file syntax at the moment, but I'm sure you can find
> something on google.
>
> Alternately, you can get the sanesecurity.ftm file from
> sanesecurity.com, which includes a wide variety of mail formats and
> will likely recognize your file. You don't need to use any the
> sanesecurity add-on signatures for this, but I recommend them.
Thank you very much for your reply, Noel.
You are right, in the daily.ftm are magics for Mail Files and as far as I
understand them there are some than only match from 0 to offset 1024.
1:0,1024:0a(46|66)726f6d3a20{-1024}0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20:Mail
file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(46|66)726f6d3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail
file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail
file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(4d|6d)6573736167652d(49|69)643a20{-1024}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail
file:CL_TYPE_ANY:CL_TYPE_MAIL
I have created a local.ftm with this line and at last file was recognized as
mail:
1:0,8192:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail
file:CL_TYPE_ANY:CL_TYPE_MAIL
It's very frustrating because I know this file is an mail and I can not tell
ClamAV to not use magic and treat this file as an mail (forced).
Sadly this email file is not unusual at all, this issue is caused by a simple
email from hotmail received at a MX. :(
DKIM and a lot more of headers are surprisingly usual nowadays.
Regards,
Carlos Velasco
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
