dealing with zips with corrupted headers

Chris Yuzik chris at
Wed Nov 5 02:04:23 GMT 2003

Hi everyone,

No sooner do we (well...Julian) come out a workaround for the extra status
line that ClamAV was spitting out than another virus using similar zip-header
trickery to sneak through our scanners.

Worm.Mimail.G arrives in a zip file called "" that strangely gets a
simple "OK" from clamscan, and the virus goes right through. After some
experimenting, I've figured out that the virus will happily unzip with the
console unzip tool, but complains with the following message:

# unzip
warning []:  3 extra bytes at beginning or within zipfile
  (attempting to process anyway)
file #1:  bad zipfile offset (local header sig):  3
  (attempting to re-compensate)
 extracting: readnow.doc.scr

After reading the man page for clamscan, I came across an option that disables
clamscan's internal archive tools. When I typed "clamscan --disable-archive" I got the expected response of " Worm.Mimail.G

Is there a disadvantage to editing "/usr/lib/MailScanner/clamav-wrapper" and
removing the "--unzip" option and replacing it with "--disable-archive"? Am I
on the right track?

Chris Yuzik
chris at

"Reality is that which, when you stop believing in it, doesn't go
                -- Philip K. Dick

More information about the MailScanner mailing list