ZIP file attachment not recognized and therefore no file check performed

Steve Basford steveb_clamav at
Wed Oct 16 20:28:35 IST 2013

> On Friday we started receiving emails that contained some kind of 0-day
> malware.  The Barracudas were blocking some of these email, but based on
> score and not on the emails containing a virus.  Later in the day
> Barracuda started recognizing the virus so the problem was mitigated at
> the mail gateway, but some did slip by the first line of defense and
> were passed to MailScanner.

No sure this is what you want to do but you could add-in ClamAV and then
add-on Sanesecurity signatures:

rogue.hdb is updated at least hourly with md5 of current emailed malware,
phish.hdb will block known and some simple guess-worked content of bad
stuff in zip/rar files.

If you want to go one stage further... add-in foxhole_generic.cdb to block
double extensions in zip/rar/7zip or foxhole_all.cdb which will block
anything bad in zip/rar/7zip... more info here:

More sig databases here:

Download Scripts here:

If you have a full/header of the missed/mangled malware and you can give me
a download link for it (pastebin etc.) I'll take a look... see if any sigs
could be tweaked to detect it in the future...

Here's an example stat of stuff being detected:

Sorry for the length of post... or it's it a little off-topic...



More information about the MailScanner mailing list