[Clamav-users] Clamav and quoted-printable
Hi everyone, First of all, I'm a recent clamav user (I know, I know, I should NOT be ! :-) ), so please be indulgent with me. I however, of course searched the archives in order to see whether my problem had a solution, but found nothing relevant. I may have missed something, though. Here is my problem: I submitted yesterday a new version of the paypal trojan, which has been accepted as Trojan.Spy.Paypal.A. My submission was made via the web service. The mail was an text/html one, with a quoted-printable encoding. So when I run clamscan or clamdscan on a file containing the raw email, the detection is correct. The problem is that I run clamav as a virus scanner via amavis, and amavis does all the decoding before calling the scanners. So when clamav is called, it does NOT detect the trojan anymore, as it is no longer quoted-printable encoded... Is there a solution to this problem ? Thanks in advance for any pointer/solution/etc. ! Best regards, Bruno -- -- Service Hydrographique et Oceanographique de la Marine --- EPSHOM/CIS/MIC -- 13, rue du Chatellier --- BP 30316 --- 29603 Brest Cedex, FRANCE --Phone: +33 2 98 22 17 49 --- Email: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and quoted-printable
On Thu, 05 Feb 2004 at 12:09:00 +0100, Bruno Treguier wrote: [...] Here is my problem: I submitted yesterday a new version of the paypal trojan, which has been accepted as Trojan.Spy.Paypal.A. My submission was made via the web service. The mail was an text/html one, with a quoted-printable encoding. So when I run clamscan or clamdscan on a file containing the raw email, the detection is correct. The problem is that I run clamav as a virus scanner via amavis, and amavis does all the decoding before calling the scanners. So when clamav is called, it does NOT detect the trojan anymore, as it is no longer quoted-printable encoded... Is there a solution to this problem ? The solution is probably a correcting the signature by us ;-) . Thank you for pointing this out! -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. [EMAIL PROTECTED] http://www.ClamAV.net/ A GPL virus scanner --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] Clamav and quoted-printable
On Thu, Feb 05, 2004 at 12:35:06PM +0100, Tomasz Papszun wrote: On Thu, 05 Feb 2004 at 12:09:00 +0100, Bruno Treguier wrote: [...] Here is my problem: I submitted yesterday a new version of the paypal trojan, which has been accepted as Trojan.Spy.Paypal.A. My submission was made via the web service. The mail was an text/html one, with a quoted-printable encoding. So when I run clamscan or clamdscan on a file containing the raw email, the detection is correct. The problem is that I run clamav as a virus scanner via amavis, and amavis does all the decoding before calling the scanners. So when clamav is called, it does NOT detect the trojan anymore, as it is no longer quoted-printable encoded... Is there a solution to this problem ? The solution is probably a correcting the signature by us ;-) . Thanks for your quick answer. To be really honest, I suspected this, but didn't want to suggest it at first, as I'm not a very experienced user ! Thank you for pointing this out! You're welcome ! Thanks to _you_, the dream team, for bringing us this nice tool ! Best regards, Bruno -- -- Service Hydrographique et Oceanographique de la Marine --- EPSHOM/CIS/MIC -- 13, rue du Chatellier --- BP 30316 --- 29603 Brest Cedex, FRANCE --Phone: +33 2 98 22 17 49 --- Email: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
