clamav-users October 2011 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: [clamav-users] A trojan is not blocked

[clamav-users] A trojan is not blocked

From: Ivan Ivanov <unix.ivan_at_nospam>
Date: Tue Oct 25 2011 - 12:55:12 GMT
To: clamav-users@lists.clamav.net

Hello,

I saw an interesting behavior related with for example with Email.Trojan-234.
Configuration amavisd + ClamAV.
When a message arrive with content as follow (some parts of original content has been removed):

The XXX transaction (ID: xxxxxxxxxxxx), recently initiated from your bank account (by you or any other person), was rejected by the other financial institution.

 Rejected transaction
Transaction ID: xxxxxxxxxxxx

Reason of rejection See details in the report below

Transaction Report
report_xxxxxxxxxx.pdf.exe (self-extracting archive, Adobe PDF)
Please click here to download report:
http://xxxxxxx.com/xxxxx/xxxxx.html

------------

Message is passed.
But if the same message is sent to an unknown user and an NDR with attached original mail is generated, then NDR with attached original message is blocked properly.

I just wondering why original message passed, but NDR (with attached original message) was blocked.

Thank you in advance!

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml