Fix for MyDoom-O problems

[Jim Holland]

Hi Mariano

On Tue, 27 Jul 2004, Mariano Absatz wrote:

> > We are using MailScanner+ClamAV, and what puzzled me was that while
> > MailScanner 4.31.6 was letting these viruses through, a manual scan of the
> > infected raw messages using ClamAV was always able to identify them as
> > Worm.Mydoom.M (at least wef the update we received at 1600 GMT yesterday).
> > MailScanner was blocking copies of Worm.Mydoom.M that were not using
> > double zip files however.  Since installing the new Message.pm file no
> > more copies have got through.
> Well... this is (probably) because ClamAV includes signatures and a
> special mode (I don't know exactly, I never use it from outside
> MailScanner) that allows you to find a virus within a mail message or
> a mailbox (in standard unix mailbox format).

Yes - you can run "clamscan -m" to scan a raw mail file, and "clamscan" to
scan a normal file.  It detected the virus in all of: raw mail file,
original zip file (with second zip file inside it), the second zip file,
and of course in the final executable.

> The problem is that MailScanner never shows ClamAV the 'complete'
> message, but only its constituent parts... I've been wondering for a
> while if it wouldn't be a good thing to put the complete message in a
> file and also give it to ClamAV for parsing... so we get the best of
> both worlds...

In this case it would definitely have been of benefit.  However the
overhead would be very high indeed, so I think that if Julian could
identify the cause of the above problem that would be more efficient.

Regards

Jim Holland
System Administrator
MANGO - Zimbabwe's non-profit e-mail service

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html