Luca Bertoncello wrote: > Tom Kistner <[EMAIL PROTECTED]> schrieb: > > Is "ScanMail" enabled in your clamd config (It is enabled by default, so > > you'd have to explicitly turn it off). > > Yes, of course! > > > If it is enabled, forward the original sample to the ClamAV team. > > But ClamAV knows this virus! If I get the E-Mail, save the .zip on my disk, > and then send another E-Mail with the same .zip, then ClamAV says that my > E-Mail is a virus! > > What can I do?
I was hit by something like this at work with a content scanner I wrote (it uses mcafee uvscan for virus scanning) I found out that the virus puts various length lines in the base64 encoded part (not always in pairs of 4). Outlook handled it, but mine didn't. This may be the same thing. After a few minutes of rewriting my base64 handler, it finds the virus everytime. I don't have any examples ,but I'd see some lines being 2-3 characters long while others were 67 (guess). It was definately badly formed and it worked at bypassing the scanner. Fortunately the local AV on the PC caught it. You can try to hand craft a message with a base64 virus attachement and randomly break the line into 2 or more lines (preferably where the line is not a multiple of 4 characters) and see if it finds a virus in it. -- Lab tests show that use of micro$oft causes cancer in lab animals Got Gas??? -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
