[clamav-users] Curious clamd behavior
Dave McMurtrie
dave64 at andrew.cmu.edu
Thu Mar 24 11:05:32 UTC 2016
Hi,
I created a local pdb database so I can catch phishing attempts when
URLs in an email display our domain name but actually link to a
malicious URL. In testing, I found something that I don't understand.
When I run clamdscan on a test message it correctly detects a spoofed
domain in the message. When my MTA connects to the clamd socket and
asks it to scan the same exact message, it does not detect it.
I ran into a very similar problem before with a gdb database and never
did figure it out. The big difference that I notice in looking at
libclamav debug output is that when I ran clamdscan it detects it to be
an email message and it calls cli_scanmail():
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: Matched signature for file type Mail file
LibClamAV debug: cache_check: 2abdd56b32d91583175dfd071e7019d1 is
negative
LibClamAV debug: Starting cli_scanmail(), recursion = 1
However, when my MTA connects to clamd it does not:
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: cache_check: 94e3a1ba1c23e73cb98e9a8e8a801479 is
positive
LibClamAV debug: cli_magic_scandesc: returning 0 at line 2791 (no post,
no cache)
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: Recognized ASCII text
LibClamAV debug: Matched signature for file type HTML data.UNOFFICIAL
LibClamAV debug: cache_check: f82c03beb094dd4a77cd3074ce327601 is
positive
Oh, this is version: ClamAV 0.99.1/21471/Wed Mar 23 19:48:37 2016
Any thoughts?
Thanks!
Dave
More information about the clamav-users
mailing list