FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 07-16-2010, 02:28 PM
"Jeffrey B. Green"
 
Default clamscan vs. clamscan with mb2md

Hi,

Running clamscan over a PDC/BDC with roaming profiles will (obviously)
generate sporadic alerts on mbox files assoicated with assorted mail
clients, icedove/tbird in this case. In order to track down the specific
message, I've used mbox2maildir (in the past) and mb2md presently to
convert them into a "broken out" situation, i.e. a structure where each
message is its own file. I now have a case where the clamscan on the
Inbox gives a positive and clamscan on the mb2md (or mbox2maildir)
directory of messages gives a negative. Is this case known? I believe it
has occurred for me in the past (forgotten exactly how long ago) and so
it seems to be a neglected bug. However, I'm not sure which package (or
support package) is responsible here. Is clamscan giving a false
positive/false negative or is mb2md changing the message in question so
that clamscan misses it? It is a user's mailbox and therefore not
properly public for debugging purposes.


The clamscan alert is ".../Inbox: Email.Phishing.Webmail-37 FOUND".

-jeff


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C406C80.9050605@kikisoso.org">http://lists.debian.org/4C406C80.9050605@kikisoso.org
 
Old 07-18-2010, 03:45 PM
"Jeffrey B. Green"
 
Default clamscan vs. clamscan with mb2md

In a previous msg, I wrote:


Running clamscan over a PDC/BDC with roaming profiles will (obviously) generate sporadic alerts on mbox files assoicated with assorted mail clients,
icedove/tbird in this case. In order to track down the specific message, I've used mbox2maildir (in the past) and mb2md presently to convert them into
a "broken out" situation, i.e. a structure where each message is its own file. I now have a case where the clamscan on the Inbox gives a positive and
clamscan on the mb2md (or mbox2maildir) directory of messages gives a negative. Is this case known? I believe it has occurred for me in the past
(forgotten exactly how long ago) and so it seems to be a neglected bug. However, I'm not sure which package (or support package) is responsible here.
Is clamscan giving a false positive/false negative or is mb2md changing the message in question so that clamscan misses it? It is a user's mailbox and
therefore not properly public for debugging purposes.

The clamscan alert is ".../Inbox: Email.Phishing.Webmail-37 FOUND".



I found some time to track down the offending message in the Inbox and
the only difference wrt causing a clamscan alert or not is the initial
From line on the message. The Inbox had the line and the broken out
mb2md files did not. If I put just that line back into the broken out
message, then the alert returned when scanning the maildir messages.
(This is on a lenny system with clamav 0.96.1+dfsg-1~volatile1, so if it
is a known bug fixed in squeeze, then let me know. thx) I'll go ahead,
if no one objects, and file a bug on clamav since mbox2maildir preserves
a modified form of the from line (prefixes the line with "MBOX-Line: ")
but still doesn't trigger a clamscan alert.


-jeff


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4C4321AF.6080206@kikisoso.org">http://lists.debian.org/4C4321AF.6080206@kikisoso.org
 

Thread Tools




All times are GMT. The time now is 09:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org