[clamav-users] Any way to force scan as mail?

Carlos Velasco carlos.velasco at nimastelecom.com
Wed Mar 1 19:13:51 UTC 2017 

> El 28/02/2017 a las 19:15, Noel Jones escribió:
>> On 2/28/2017 11:35 AM, Carlos Velasco wrote:
>>
>> Anyway, the main question remains unanswered... is there any way to force the scan as mail (overriding the magic for the first recursion)?
>>
> 
> 
> Clam uses the daily.ftm file to decide what type of scanning to use.
>  Generally, clam looks for a Received: line or a few other common
> mail headers in the first few bytes of the file.  Apparently those
> common headers are too far into your file.
> 
> You can create a local.ftm with your unusual headers in it to cause
> these files to be detected as an email.  I don't see my notes for
> the .ftm file syntax at the moment, but I'm sure you can find
> something on google.
> 
> Alternately, you can get the sanesecurity.ftm file from
> sanesecurity.com, which includes a wide variety of mail formats and
> will likely recognize your file.  You don't need to use any the
> sanesecurity add-on signatures for this, but I recommend them.

Thank you very much for your reply, Noel.

You are right, in the daily.ftm are magics for Mail Files and as far as I understand them there are some than only match from 0 to offset 1024.

1:0,1024:0a(46|66)726f6d3a20{-1024}0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(46|66)726f6d3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL
1:0,1024:0a(4d|6d)6573736167652d(49|69)643a20{-1024}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

I have created a local.ftm with this line and at last file was recognized as mail:
1:0,8192:0a(4d|6d)(49|69)(4d|6d)(45|65)2d(56|76)657273696f6e3a20{-2048}0a(43|63)6f6e74656e742d(54|74)7970653a20:Mail file:CL_TYPE_ANY:CL_TYPE_MAIL

It's very frustrating because I know this file is an mail and I can not tell ClamAV to not use magic and treat this file as an mail (forced).

Sadly this email file is not unusual at all, this issue is caused by a simple email from hotmail received at a MX. :(
DKIM and a lot more of headers are surprisingly usual nowadays.

Regards,
Carlos Velasco

More information about the clamav-users mailing list