clamscan vs. clamscan with mb2md
in [Debian]
|
Prev: How to reread changed udev rules without rebooting?
Next: Securely deleting *Windows* files (was Re: simple way to securely destroy deleted files in a file system)
From: Jeffrey B. Green on 16 Jul 2010 11:50 Hi, Running clamscan over a PDC/BDC with roaming profiles will (obviously) generate sporadic alerts on mbox files assoicated with assorted mail clients, icedove/tbird in this case. In order to track down the specific message, I've used mbox2maildir (in the past) and mb2md presently to convert them into a "broken out" situation, i.e. a structure where each message is its own file. I now have a case where the clamscan on the Inbox gives a positive and clamscan on the mb2md (or mbox2maildir) directory of messages gives a negative. Is this case known? I believe it has occurred for me in the past (forgotten exactly how long ago) and so it seems to be a neglected bug. However, I'm not sure which package (or support package) is responsible here. Is clamscan giving a false positive/false negative or is mb2md changing the message in question so that clamscan misses it? It is a user's mailbox and therefore not properly public for debugging purposes. The clamscan alert is ".../Inbox: Email.Phishing.Webmail-37 FOUND". -jeff -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C406C80.9050605(a)kikisoso.org
From: Jeffrey B. Green on 18 Jul 2010 12:10
In a previous msg, I wrote: > > Running clamscan over a PDC/BDC with roaming profiles will (obviously) generate sporadic alerts on mbox files assoicated with assorted mail clients, > icedove/tbird in this case. In order to track down the specific message, I've used mbox2maildir (in the past) and mb2md presently to convert them into > a "broken out" situation, i.e. a structure where each message is its own file. I now have a case where the clamscan on the Inbox gives a positive and > clamscan on the mb2md (or mbox2maildir) directory of messages gives a negative. Is this case known? I believe it has occurred for me in the past > (forgotten exactly how long ago) and so it seems to be a neglected bug. However, I'm not sure which package (or support package) is responsible here. > Is clamscan giving a false positive/false negative or is mb2md changing the message in question so that clamscan misses it? It is a user's mailbox and > therefore not properly public for debugging purposes. > > The clamscan alert is ".../Inbox: Email.Phishing.Webmail-37 FOUND". > I found some time to track down the offending message in the Inbox and the only difference wrt causing a clamscan alert or not is the initial From line on the message. The Inbox had the line and the broken out mb2md files did not. If I put just that line back into the broken out message, then the alert returned when scanning the maildir messages. (This is on a lenny system with clamav 0.96.1+dfsg-1~volatile1, so if it is a known bug fixed in squeeze, then let me know. thx) I'll go ahead, if no one objects, and file a bug on clamav since mbox2maildir preserves a modified form of the from line (prefixes the line with "MBOX-Line: ") but still doesn't trigger a clamscan alert. -jeff -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/4C4321AF.6080206(a)kikisoso.org |