[Prev] Thread [Next]  |  [Prev] Date [Next]

[clamav-users] Question about not recognized malware IN a zipfile Matthias Egger Fri Feb 10 06:01:50 2012

Hello List

Yesterday we received a lot of "DHL Delivery Notification Messages" with a zip File as attachment.

The zip file contains an exe file which is obviously some kind of malware.

Since clamav let this email pass through i went to the malware submition page and uploaded this file. The message i received then was, that this file is still known as malware.

So why did clamav let the attachment pass trough?

I found the solution:

# clamscan -v DHL_Post_oder_Notification-INF6782654.zip
DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND

# clamscan -v DHL_Post_oder_Notification-DATA.exe
DHL_Post_oder_Notification-DATA.exe: OK

So clamav recognizes the zipfile as malware, but not the containing exe. This is bad, since amavis does extract the submitted zip file and then checks the extracted exe file.

So the question is... how can i fix this?

Best regards
Matthias Egger
ETH Zurich
Department of Information Technology          [EMAIL PROTECTED]
and Electrical Engineering
IT Support Group (ISG.EE), ETL/F/24.1         Phone +41 (0)44 632 03 90
Physikstrasse 3, CH-8092 Zurich               Fax   +41 (0)44 632 11 95
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net