[Mimedefang] uvscan catching MyDoom that clamav missing
Jason Englander
jason at englanders.cc
Mon Feb 2 11:29:53 EST 2004
On Sat, 31 Jan 2004, Jon R. Kibler wrote:
> We are having a problem where clamav is missing MyDoom viruses that
> uvscan catches. It seems that clamav is missing about 1/3 to 1/2 of the
> MyDooms we are seeing. (The only MyDooms we are getting are bounces to
> bogus email addresses.)
The problem is probably that the bounces include the infected file(s)
as base64 encoded. MD and clamav don't base64 decode it, but uvscan does.
So, either be happy that something in your arsenal does catch it, or add
base64 decoding to your MD filter, which will probably be a big hairy
mess. (maybe quarantine messages with base64 in them for later review?)
clamav should be able to detect these in the future. There has been talk
with the author of ripmime to link clamav with his library. This may be
available to some degree in post-0.65 snapshots but I haven't tried any
yet.
Jason
--
Jason Englander <jason at englanders.cc>
394F 7E02 C105 7268 777A 3F5A 0AC0 C618 0675 80CA
More information about the MIMEDefang
mailing list