Dumaru again

[Desai, Jason]

> my question would still be: What could I possibly be doing wrong, when
clamav
> and the clamav-wrapper are able to detect Dumaru.Y (when working on
myphoto.zip
> directly) but not when it's passed through Mailscanner - whatever
Mailscanner
> parses the myphoto.zip attachment to - the clamav-wrapper will not detect
it as
> a virus (at least in my setup / I use --disable-archive because libclamav
has a
> few false positives otherwise). The Virus itself however is of course
spotted by
> my other scanner (AntiVir), so yes, the virus is detected. But not by
clamav
> invoked by Mailscanner. This is not a "not detected" issue but an issue
with
> clamav and Mailscanner.
> clamav detects Dumaru, so does Mailscanner - but Mailscanner is configured
to
> run with clamav and antivir and only antivir hits. If I attach just the
> myphoto.zip to a mail clamav AND antivir hit. If the Virus comes in from
the
> wild ONLY antivir hits ... strange problem, I know. It's probably a matter
of
> how the Virus is attached in the real viral message ...
> anyone any ideas on this? What could I possibly be doing wrong?

Is it possible that the virus coming "in from the wild" is actually
something like a delivery failure notice?  Many times mailers will include
the body of the failed message in the failure notice, but not in a way that
mail clients would be able to decode properly if there were an attachment.
Maybe the virus is not a valid mime attachment?

Jason