clamav-users August 2009 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] Clamd not detecting eicar strin

Re: [Clamav-users] Clamd not detecting eicar string with Telnet interface

From: Török Edwin <edwintorok_at_nospam>
Date: Sat Aug 01 2009 - 10:00:59 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>


On 2009-08-01 10:50, M Rajesh-B22236 wrote:
> CLAM AV version we used is 0.94.2
>
> I used Telnet client to send a mail with Eicar string in a file as
> attachment.
>
> Expecting clamd to detect it as virus mail, but instead it returned as
> clean mail.
>
> This is working fine with any email client, problem is coming by using
> Telnet
>
> interface only.
>
> Following is the data that send to clamd for scanning;
>

This is not an email, what email client opens it and displays the attachment properly?

> Subject:
>

You are missing some headers here:
From
Content-Type: multipart/mixed; boundary="=-E6uObbGoQ4lkg+aYaH2/"

If you add those, then clamav detects eicar, I don't see a problem here.

> --=-E6uObbGoQ4lkg+aYaH2/
>
> Content-Type: text/plain
>
> Content-Transfer-Encoding: 7bit
>
>
>
>
>
> --=-E6uObbGoQ4lkg+aYaH2/
>
> Content-Disposition: attachment; filename=eicar.com
>
> Content-Type: text/plain; name=eicar.com; charset=us-ascii
>
> Content-Transfer-Encoding: 7bit
>
> X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
>
> --=-E6uObbGoQ4lkg+aYaH2/--
>
> .
>
> Can any one suggest reason for the above problem ?
>
> One guess is SMTP clients will also sends SMTP message headers like
> From,To,Content-Type,Message-Id, Mime-Version,etc as part of data and
> same is not the case for Telnet.
>

Does your mail server even accept the above mail? Which mail server is it?

> But I think clamd should return error in case of any failures of SMTP
> header parsing instead of sending it as clean mail.
>

That would lead to many false positives, not all emails follow the RFC standard.

Best regards,
--Edwin



Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml