> El 28/02/2017 a las 19:15, Noel Jones escribió: >> On 2/28/2017 11:35 AM, Carlos Velasco wrote: >> >> Anyway, the main question remains unanswered... is there any way to force >> the scan as mail (overriding the magic for the first recursion)? >> > > > Clam uses the daily.ftm file to decide what type of scanning to use. > Generally, clam looks for a Received: line or a few other common > mail headers in the first few bytes of the file. Apparently those > common headers are too far into your file. > > You can create a local.ftm with your unusual headers in it to cause > these files to be detected as an email. I don't see my notes for > the .ftm file syntax at the moment, but I'm sure you can find > something on google. > > Alternately, you can get the sanesecurity.ftm file from > sanesecurity.com, which includes a wide variety of mail formats and > will likely recognize your file. You don't need to use any the > sanesecurity add-on signatures for this, but I recommend them.
Thank you very much for your reply, Noel. You are right, in the daily.ftm are magics for Mail Files and as far as I understand them there are some than only match from 0 to offset 1024. 1:0,1024:0a(46|66)726f6d3a20{-1024}0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL 1:0,1024:0a(46|66)726f6d3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL 1:0,1024:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL 1:0,1024:0a(4d|6d)6573736167652d(49|69)643a20{-1024}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL I have created a local.ftm with this line and at last file was recognized as mail: 1:0,8192:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL It's very frustrating because I know this file is an mail and I can not tell ClamAV to not use magic and treat this file as an mail (forced). Sadly this email file is not unusual at all, this issue is caused by a simple email from hotmail received at a MX. :( DKIM and a lot more of headers are surprisingly usual nowadays. Regards, Carlos Velasco _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml