Re: [clamav-users] Question about not recognized malware IN a zipfile

Hello Edwin

Thank you for your reply.

On 10.02.2012 15:06, Török Edwin wrote:
> > # clamscan -v DHL_Post_oder_Notification-INF6782654.zip
> > DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND
>
> The detection is based on the filename inside the zip file.
I am curious... isn't this relay unsafe?

I have just checked a second of these DHL emails. The Subject and the 
ZIP Name was different, but the content was the same file. So what 
happens if a spammer not only changes the subject and zip-name but also 
changes everytime the filename of the exe?

Would it not make sense to use something like an md5 sum of the exe 
file? I think the effort to change the names of the exe is much lower 
than changing the malware for every email.

But hey... i am just thinking loud... I don't want to step on anybody's 
feet. As i said... i am just curious.

> > So the question is... how can i fix this?
>
> Pass the full email to ClamAV, not just the attachments.

Hmm... okay, i give a look on it.

Thank you Edwin!

Best regards
Matthias
--
Matthias Egger
ETH Zurich
Department of Information Technology          [EMAIL PROTECTED]
and Electrical Engineering
IT Support Group (ISG.EE), ETL/F/24.1         Phone +41 (0)44 632 03 90
Physikstrasse 3, CH-8092 Zurich               Fax   +41 (0)44 632 11 95
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml