[Prev] Thread [Next]  |  [Prev] Date [Next]

Re: [clamav-users] Question about not recognized malware IN a zipfile Matthias Egger Fri Feb 10 07:02:19 2012

Hello Edwin

Thank you for your reply.

On 10.02.2012 15:06, Török Edwin wrote:
# clamscan -v DHL_Post_oder_Notification-INF6782654.zip
DHL_Post_oder_Notification-INF6782654.zip: Suspect.Bredozip-zippwd-2 FOUND

The detection is based on the filename inside the zip file.
I am curious... isn't this relay unsafe?

I have just checked a second of these DHL emails. The Subject and the ZIP Name was different, but the content was the same file. So what happens if a spammer not only changes the subject and zip-name but also changes everytime the filename of the exe?

Would it not make sense to use something like an md5 sum of the exe file? I think the effort to change the names of the exe is much lower than changing the malware for every email.

But hey... i am just thinking loud... I don't want to step on anybody's feet. As i said... i am just curious.

So the question is... how can i fix this?

Pass the full email to ClamAV, not just the attachments.

Hmm... okay, i give a look on it.

Thank you Edwin!

Best regards
Matthias Egger
ETH Zurich
Department of Information Technology          [EMAIL PROTECTED]
and Electrical Engineering
IT Support Group (ISG.EE), ETL/F/24.1         Phone +41 (0)44 632 03 90
Physikstrasse 3, CH-8092 Zurich               Fax   +41 (0)44 632 11 95
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net