[Avcheck] Problem (what else?)

[Michael Tokarev]

"Milan P. Stanic" wrote:
> 
[]
> avp:/var/spool/avp/ctl/AvpCtl root < eicar.msg
> Message didn't pass the virus check: infected: EICAR-Test-File
[]
> avp:/var/spool/avp/ctl/AvpCtl root < eicar.txt
> Message didn't pass the virus check: infected: EICAR-Test-File
> 
> That confused me. AvpDaemon detects virus in text file if avcheck is
> invoked through the shell. And I thought that it must detect it when I send
> the same file in the body of message (over SMTP, of course).

;)  *This* is expected behaviour.  Think about algorithm here -- many
antivirus software, and avp is not exception, uses (or able to use)
file *format* detection.

In first case, input is in mail message format, sot it will be processed
looking to proper mime structure etc.  Think about this mime processing
like about executable file format: when antivirus *knows* it is executable,
it will process *code* sections, but not e.g. icon or menu (windows resources)
sections.  In mime, it will process e.g. application/octet-stream or the like
sections, but will skip text/plain parts.

In second case, avirus have no knowlege about "context" where the input
it receives comes.  So it can't say "it is from text section, so I'll
skip it" -- no "section information" available.  So it is forced to actually
look and detect it's *format*, but now it is a .com (msdos executable) file!

With avcheck, avpdaemon should be set up to look into file format, not e.g.
into it's extension (actually, avcheck uses "inrelated" extension when writing
temp file), and even more, nor avpdaemon, not even avcheck itself knows
original file name that passed into it's stdin! ;)

I hope this clears confusion somewhat.  Basically, this is expected
behaviour, and any other behaviour will just indicate an error somewhere.

Regards,
 Michael.