|Main Archive Page > Month Archives > clamav-users archives|
> You want to use clamscan for something it was not designed to do, it was
> designed to detect viruses and that's all.
Yes, I do want to use clamscan for something it was not (quite) designed to do. However, given the fact that the designers built in the ability to parse multi-message email files in order to separate individual messages for scanning, mine is not an entirely unreasonable expectation. In fact reading through the source reveals that such capability is on the minds of the coders.
/* * Is it a UNIX style mbox with more than one * mail message, or just a single mail message? * * TODO: It would be better if we called cli_scandir here rather than * in cli_scanmail. Then we could improve the way mailboxes with more * than one message is handled, e.g. stopping parsing when an infected * message is stopped, and giving a better indication of which message * within the mailbox is infected */
I also found in the source a debug message expelled during message scanning that I believe will allow one to search the debug information in order to ascertain which message might be infected. However, last night's daily update of signatures has removed one of the three "Email:FreeGames" and consequently the mbox file in question no longer is considered "infected." I am going to roll back the signatures in order to test my hypothesis of the ability to pinpoint an individual message suspected of being infected.
I am disturbed by the fact that yesterday the mbox produced a positive but when I broke out the messages using mb2md the subsequent scan did not provide a positive. This observed behavior is most likely the result of improper parsing of a multi-message email file; that is to say, the message scan is not properly delimiting message boundaries (two or more messages were scanned as one and part of the signature expression was found in one message and another part was found in a following message).
It's okay to wish for tools to be more robust. thanks for everybody's input.