[clamav-users] Strange problem with custom Yara rule
Charles Swiger
cswiger at mac.com
Wed Apr 13 16:48:32 UTC 2016
Hi, kionez--
On Apr 13, 2016, at 8:11 AM, kionez <kionez at gmail.com> wrote:
> I'm using it on my antispam server with Debian Jessie (with clamav
> 0.99+dfsg-0+deb8u2 and libpcre3 8.35-3.3+deb8u4 ) and also testing on my
> laptop with Arch linux (clamav 0.99.1-2 and pcre 8.38-3). I try to
> recompile clamav on my laptop and it founds pcre in /usr, as expected.
>
> I think that pcre works fine, because I can match patterns on email's
> content, but not in email headers (i.e.: X-Mailer:, From: etc)
This doesn't mention how your email gets processed from your MTA into clamav.
Normally, things like amavisd extract the body of the message and any MIME
attachments, and scan those components only. They don't scan the entire message
or the mail headers.
See bypass_decode_parts and keep_decoded_original_maps for amavisd-new, or
look for the equivalent in whatever you are using to pass mail into the
virus scanning.
Regards,
--
-Chuck
More information about the clamav-users
mailing list