Dumaru again

[Julian Field]

At 14:53 26/03/2004, you wrote:
> > my question would still be: What could I possibly be doing wrong, when
>clamav
> > and the clamav-wrapper are able to detect Dumaru.Y (when working on
>myphoto.zip
> > directly) but not when it's passed through Mailscanner - whatever
>Mailscanner
> > parses the myphoto.zip attachment to - the clamav-wrapper will not detect
>it as
> > a virus (at least in my setup / I use --disable-archive because libclamav
>has a
> > few false positives otherwise). The Virus itself however is of course
>spotted by
> > my other scanner (AntiVir), so yes, the virus is detected. But not by
>clamav
> > invoked by Mailscanner. This is not a "not detected" issue but an issue
>with
> > clamav and Mailscanner.
> > clamav detects Dumaru, so does Mailscanner - but Mailscanner is configured
>to
> > run with clamav and antivir and only antivir hits. If I attach just the
> > myphoto.zip to a mail clamav AND antivir hit. If the Virus comes in from
>the
> > wild ONLY antivir hits ... strange problem, I know. It's probably a matter
>of
> > how the Virus is attached in the real viral message ...
> > anyone any ideas on this? What could I possibly be doing wrong?
>
>Is it possible that the virus coming "in from the wild" is actually
>something like a delivery failure notice?  Many times mailers will include
>the body of the failed message in the failure notice, but not in a way that
>mail clients would be able to decode properly if there were an attachment.
>Maybe the virus is not a valid mime attachment?

The latest releases are pretty good at finding attachments in the body of
failure notices.
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654