Hi there
The new W32/Nyxem-D virus seems to escape clamav fairly well.
It comes in as a .HQX or .MIM attachment - which is base64 encoded.
However, the resultant HQX/MIM file is actually an UUENCODED file (that
WinXP at least auto-supports).
I uudecoded it and wrote my own signature for the
Oh! I missed my actual question! :-)
Is this expected behavior. i.e. a limitation with making your own simple
MD5-based sigs.
Jason Haar wrote:
Hi there
The new W32/Nyxem-D virus seems to escape clamav fairly well.
It comes in as a .HQX or .MIM attachment - which is base64 encoded.
Hi,
This following thread was previously posted. I wonder if this is still an issue
with MIME handling or is it just a sole case that the worm couldn't be caught?
Thanks
Jerry,
Hi all,
RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or
On Wednesday 16 February 2005 14:35, Scott Ryan shaped the electrons to say:
Hi list, I have posted before about an issue with clamd hanging and
yesterday we finally managed to find out what the underlying problem was.
We came across an 800k mail that we initially thought was causing clamd to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ted Fines wrote:
--On Thursday, February 17, 2005 3:38 PM + Nigel Horne
[EMAIL PROTECTED] wrote:
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman [EMAIL PROTECTED] wrote:
Kind of..
On Wed, 16 Feb 2005, [ISO-8859-2] Bogusaw Brandys wrote:
; -BEGIN PGP SIGNED MESSAGE-
; Hash: SHA1
;
; Nigel Horne wrote:
; On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
;
;
; FOUR MINUTES, 13 SECONDS for an 800k email.
...
; 0.80 didn't scan it properly and would have let a virus
On Thursday 17 February 2005 11:29, Andy Fiddaman shaped the electrons to say:
On Wed, 16 Feb 2005, [ISO-8859-2] Bogusaw Brandys wrote:
; -BEGIN PGP SIGNED MESSAGE-
; Hash: SHA1
;
; Nigel Horne wrote:
; On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
;
;
; FOUR MINUTES, 13
On Wed, 16 Feb 2005, Tomasz Kojm wrote:
; On Wed, 16 Feb 2005 17:51:28 +0200
; Scott Ryan [EMAIL PROTECTED] wrote:
;
; I will just have to allow these types of mails to go unscanned. Four
; minutes to scan 1 will cause a DOS.
;
; So increase the number of MaxThreads...
;
; Would it be
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman [EMAIL PROTECTED] wrote:
Kind of.. there's a limit for how many times the mail scanner is
invoked, (such as for a message with zip containing message containing
zip containing message...), but not for mime recursion.. i.e.
parseEmailBody
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman [EMAIL PROTECTED] wrote:
Kind of.. there's a limit for how many times the mail scanner is
invoked, (such as for a message with zip containing message containing
zip containing
On Thu, 17 Feb 2005, Nigel Horne wrote:
; On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
; On Thu, 17 Feb 2005 11:50:11 + (GMT)
; Andy Fiddaman [EMAIL PROTECTED] wrote:
;
; Kind of.. there's a limit for how many times the mail scanner is
; invoked, (such as for a message with zip
--On Thursday, February 17, 2005 3:38 PM + Nigel Horne
[EMAIL PROTECTED] wrote:
On Thursday 17 Feb 2005 15:07, Tomasz Kojm wrote:
On Thu, 17 Feb 2005 11:50:11 + (GMT)
Andy Fiddaman [EMAIL PROTECTED] wrote:
Kind of.. there's a limit for how many times the mail scanner is
invoked, (such
On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
The problem with the old limit was that it was hard coded and so was the
behaviour when it was exceeded (IIRC it used to just not scan the
additional nested parts). I can't understand why adding this option with
configurable behaviour would
On Thu, 17 Feb 2005 16:12:08 + in
[EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED]
wrote:
On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
The problem with the old limit was that it was hard coded and so was
the behaviour when it was exceeded (IIRC it used to just not scan
the
; [EMAIL PROTECTED] Nigel Horne [EMAIL PROTECTED]
; wrote:
;
; On Thursday 17 Feb 2005 16:07, Andy Fiddaman wrote:
;
; The problem with the old limit was that it was hard coded and so was
; the behaviour when it was exceeded (IIRC it used to just not scan
; the additional nested parts). I
Hi list, I have posted before about an issue with clamd hanging and yesterday
we finally managed to find out what the underlying problem was. We came
across an 800k mail that we initially thought was causing clamd to hang. The
truth infact was that once we turned on debugging, we noticed that
--On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan
[EMAIL PROTECTED] wrote:
On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to
say:
Would you please send me this attachment off-list.
Please zip it and password protect it (password='password') so it comes
through.
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
FOUR MINUTES, 13 SECONDS for an 800k email.
Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded
within each other. By definition the largest message is about 800K and the
smallest
is about 1K give or take, giving an
* Ted Fines [EMAIL PROTECTED] [20050216 17:20]: wrote:
--On Wednesday, February 16, 2005 2:52 PM +0200 Scott Ryan
[EMAIL PROTECTED] wrote:
On Wednesday 16 February 2005 14:50, Ted Fines shaped the electrons to
say:
Would you please send me this attachment off-list.
Please zip it and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Nigel Horne wrote:
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
FOUR MINUTES, 13 SECONDS for an 800k email.
Look at the file again. It is NOT an 800k mail. It is over 200 emails embedded
within each other. By definition the largest
On Wednesday 16 Feb 2005 14:58, Bogusaw Brandys wrote:
Oversized.Mail ? Do we need such new detection or is better solution ?
I need to finish the work on the new scanner that is already underway (see
mbox.c) which removes the parser.
Boguslaw Brandys
--
Nigel Horne. Arranger, Composer,
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say:
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
FOUR MINUTES, 13 SECONDS for an 800k email.
Look at the file again. It is NOT an 800k mail. It is over 200 emails
embedded within each other. By definition the
On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote:
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to say:
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
FOUR MINUTES, 13 SECONDS for an 800k email.
Look at the file again. It is NOT an 800k mail. It is over 200
On Wednesday 16 February 2005 17:34, Nigel Horne shaped the electrons to say:
On Wednesday 16 Feb 2005 15:15, Scott Ryan wrote:
On Wednesday 16 February 2005 16:26, Nigel Horne shaped the electrons to
say:
On Wednesday 16 Feb 2005 14:18, Ted Fines wrote:
FOUR MINUTES, 13 SECONDS for an
On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote:
Would it be possible to request that some kind of recursion limit be added
here like there currently is on zip files?
That would be bad idea since it would be v. easy for a virus writer to get
around.
--
Nigel Horne. Arranger, Composer,
On Wed, 2005-02-16 at 16:00 +, Nigel Horne wrote:
On Wednesday 16 Feb 2005 15:51, Scott Ryan wrote:
Would it be possible to request that some kind of recursion limit be added
here like there currently is on zip files?
That would be bad idea since it would be v. easy for a virus
On Wed, 16 Feb 2005 18:23:51 +0200 in
[EMAIL PROTECTED] Peter Hubbard
[EMAIL PROTECTED] wrote:
That would be bad idea since it would be v. easy for a virus writer
to get around.
Okay. How about an option to dump an email - or flag it as a
*possible* virus - if a specified recursion
On Wed, 16 Feb 2005 17:51:28 +0200
Scott Ryan [EMAIL PROTECTED] wrote:
I will just have to allow these types of mails to go unscanned. Four
minutes to scan 1 will cause a DOS.
So increase the number of MaxThreads...
Would it be possible to request that some kind of recursion limit be
added
On Wednesday 16 February 2005 18:43, Tomasz Kojm shaped the electrons to say:
On Wed, 16 Feb 2005 17:51:28 +0200
Scott Ryan [EMAIL PROTECTED] wrote:
I will just have to allow these types of mails to go unscanned. Four
minutes to scan 1 will cause a DOS.
So increase the number of
On Wed, 16 Feb 2005 19:05:22 +0200
Scott Ryan [EMAIL PROTECTED] wrote:
What is that limit?
libclamav/scanners.c:
#define MAX_MAIL_RECURSION 15
--
oo. Tomasz Kojm [EMAIL PROTECTED]
(\/)\. http://www.ClamAV.net/gpg/tkojm.gpg
\..._
On Monday 15 Mar 2004 5:43 pm, Stuart Mycock wrote:
When I rip out the attachment manually it detects the virus fine.
Shall I submit the sample anyway? I don't want to waste anyone's time if
this is something that's already being dealt with?
Send me the e-mail and I'll look into it.
-Nigel
Hi all,
RAV caught a bounced message sample containing Worm.SomeFool.Gen-2
(Netsky.B) but neither clamd or 'clamdscan --mbox' could find the infection,
I presume this is an issue with the MIME handling?
When I rip out the attachment manually it detects the virus fine.
Shall I submit the sample
uudecoding is handled by libclamav/message.c
-Nigel
--
Nigel Horne. Arranger, Composer, Typesetter.
NJH Music, Barnsley, UK. ICQ#20252325
[EMAIL PROTECTED] http://www.bandsman.co.uk
-
To unsubscribe, e-mail: [EMAIL
My experience is that it does to some extent. I know, though, that it
doesn't support uuencoded messages, for example (unless I'm doing
something wrong).
The only way I can get it to work well for mime and uuencoded messages is
to run a program (like ripmime) on the message and then run
The only way I can get it to work well for mime and uuencoded messages is
to run a program (like ripmime) on the message and then run clamscan on
the mime parts.
How well does ripmime handle strange/non-standard mime messages like
those generated by viruses?
--
Damjan Georgievski
On 23 May 2003, [EMAIL PROTECTED] spake:
My experience is that it does to some extent. I know, though, that it
doesn't support uuencoded messages, for example (unless I'm doing
something wrong).
The only way I can get it to work well for mime and uuencoded messages
is to run a program
On Fri, 23 May 2003, Sean Rima wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Does clamav (0.54) read understand mime. I am just curious
Sean
- --
Q: Because it reverses the logical flow of conversation.
A: Why is top posting frowned upon?
Does whatever glues your installation
I don't really have a test suite, I'm assuming ripmime works well.
Anybody have a suite of these kinds of messages to run through?
Ricardo
On Fri, 23 May 2003 21:43:04 +0200 Damjan wrote:
The only way I can get it to work well for mime and uuencoded
messages is
to run a program (like
38 matches
Mail list logo