[Mimedefang] clamav oddity

Bill Randle billr at neocat.org
Fri Apr 30 15:50:10 EDT 2004


Ashley M. Kirchner wrote:

> Bill Randle wrote:
>
>> Have you updated clamav recently? Is is possible you have more than 
>> one  copy of the virus
>> definition tables installed? While clamd will get the path to the db 
>> files from the /etc/clamav.conf
>> file, clamscan does not read the config file and uses its internal 
>> defaults unless you override
>> it via command line args. Try running clamscan (with --mbox) and with 
>> the arg that explicitly tells
>> it where to find the db files (get the path from /etc/clamav.conf or 
>> /etc/freshclam.conf [which should
>> be the same]).
>
>
>    I did update it, however there's only one location those db files 
> are located in.  clamscan is using the right location (with or without 
> specifying it on the command line) and it still only sees two.  I 
> think David's right, in that it only scans complete messages which 
> include their headers, and it ignore those that don't have all their 
> headers.  Kinda weird.
>
It may also depend upon the specific virus. Viruses that are imbedded in 
password protected zip files
are detected by signatures based on certain common header information, 
as well as patterns in the
message body / attachment. Since the zip file is password protected, 
clamav can't look inside the zip
file itself, thus has to rely on other clues to let you know it's infected.

    -Bill




More information about the MIMEDefang mailing list