Mailing List Archive: ClamAV: devel

This SoBig-F was missed because it has an invalid Content-type

Index | Next | Previous | View Threaded

James at kyzo

Aug 27, 2003, 8:36 AM

Post #1 of 2 (784 views)
Permalink

This SoBig-F was missed because it has an invalid Content-type

I think the subject line says it all ... the content-type of the "scr"
attachment is declared as :-

Content-Type: chemical/x-rasmol;

Which means Clam fails to recognise it. Luckily we have a second line of
defense, we remove all ".scr" attachments !

I changed the content-type to "application/binary" and Clam picked it up
great.

We still have an old copy of RAV here, that works, and it sees the virus
without the content-type change. Perhaps Clam should default to
"application/binary" if the type is unknown ?

Or make some kind of intelligent guess based on the encoding or file name ?

James

Attachments:

sobig-missed.zip (69.6 KB)

njh at bandsman

Aug 27, 2003, 9:13 AM

Post #2 of 2 (733 views)
Permalink

Re: This SoBig-F was missed because it has an invalid Content-type [In reply to]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wednesday 27 Aug 2003 4:35 pm, James Stevens wrote:
> Perhaps Clam should default to
> "application/binary" if the type is unknown ?

Good idea. I've tried that and see this with your message:
LibClamAV Warning: Unknown MIME type: `chemical' - set to Application
/home/njh/gateway/sobig-missed.eml: Worm.Sobig.F FOUND

I'll forward the change to Tomasz for his approval.

> James

- -Nigel

- --
Nigel Horne. Arranger, Composer, Conductor, Typesetter.
Owner of the brass band group of the Internet. ICQ#20252325
njh [at] bandsman http://www.bandsman.co.uk/music.htm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/TNgWOv/MqfDWaY8RApeIAJ4jy9kIUgBaBF/HhnhUH+7azRmw3gCgr2lC
eEfBOe4haplvqNcB4sfLyIQ=
=aQpg
-----END PGP SIGNATURE-----

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads