[clamav-users] Any way to force scan as mail?
Carlos Velasco
carlos.velasco at nimastelecom.com
Tue Feb 28 17:35:28 UTC 2017
>> Some days ago I stepped into a problem where ClamAV was not
>> detecting a virus attached in an email. I narrowed the problem to
>> Clam not detecting the file passed as a mail. I think this is
>> because mail file has too many headers.
>
> Your conjecture is incorrect. Neither of those things is a properly
> formed mail message. I'd describe them as jumbled up collections of
> bits and pieces of things which might possibly once have been parts of
> mail messages.
Sorry but you are wrong, they are indeed real mails and properly formatted. Directly received from hotmail.
I just have changed (hidden) the domains, addresses and IP addresses at the moment of publishing them.
It is the magic of ClamAV (0.99.2) that does not detects mail for the first case, but it detects mails for the second case (with just 1 long header line deleted).
Tested ClamAV devel version makes partial detection of mail (through MHTML).
Magic of "file" works for both, detecting both as mail text:
# file LCipWJaQ.txt
LCipWJaQ.txt: ASCII mail text, with very long lines, with CRLF line terminators
# file ZvmST7Xh.txt
ZvmST7Xh.txt: ASCII mail text, with very long lines, with CRLF line terminators
Anyway, the main question remains unanswered... is there any way to force the scan as mail (overriding the magic for the first recursion)?
Regards,
Carlos Velasco
More information about the clamav-users
mailing list