Giters

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net

Home Page:https://www.clamav.net/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Some mail not recognized as e-mail, attachment ignored

LSchuepbach opened this issue · comments

commented

Describe the bug

Replace this text with a clear and concise description of the bug or feature request.

See the attached email. When scanning it, it is not recognized as an email. The attachment is ignored. Strangely, removing one line of the headers, or adding one, and it's recognized correctly again.

How to reproduce the problem

crudeeicar.ndb: CRUDE.EICAR:0:*:58354f2150254041505b345c505a58353428505e2937434329377d2445494341522d5354414e444152442d414e544956495255532d544553542d46494c452124482b482a

clamscan -d crudeeicar.ndb /scandir/eicar.eml

LibClamAV debug: Checking realpath of /scandir/eicar.eml
LibClamAV debug: Recognized ASCII text
LibClamAV debug: clean_cache_check: 738769125b5cd2a1ac228c0229c04e5b is negative
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: in cli_scanscript()
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: cli_magic_scan: returning 0  at line 5027
LibClamAV debug: clean_cache_add: 738769125b5cd2a1ac228c0229c04e5b (level 0)
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
/scandir/eicar.eml: OK
LibClamAV debug: Cleaning up phishcheck
LibClamAV debug: Freeing phishcheck struct
LibClamAV debug: Phishcheck cleaned up

removing the header X-REPORT-ABUSE-TO: Message sent by Mailjet please report to abuse@mailjet.com with a copy of the message of the mail, and scanning again:

LibClamAV debug: Checking realpath of /scandir/eicar.eml
LibClamAV debug: Recognized ASCII text
LibClamAV debug: clean_cache_check: a24d59edca618d10a984cbb965984fda is negative
LibClamAV debug: Descriptor[3]: Continuing after file scan resulted with: No viruses detected
LibClamAV debug: Matched signature for file type MHTML file
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: MHTML signature found at 2566
LibClamAV debug: Starting cli_scanmail()
LibClamAV debug: in mbox()

or, adding the header Return-Path: <postmaster@example.org> as the first line also helped detection:
zip file get detected, extracted, and signature hits.

Attachments

Here's the email in question:
eicar.txt

Tested on 0.103.11 or 1.1.1 with same result.

Is there's something wrong in the structure of that mail or is it a ClamAV issue? Should we add a Return-Path header as first line systematically in order to be sure all the mails we scan are recognized as emails?