Can Clamd be relied upon to unpack RFC-822 format .eml files? It seems to do it

Question

I'm using ClamAV, communicating via a Unix socket a la https://github.com/Elycin/php-clamav/. All working so far.

My app picks up files from a folder. Each file contains RFC822-compliant content (sometimes you see these with extension .eml).

I was going to write code to unpack the .eml file into separate body text and multiple attachment(s). However a quick test showed that if I just write the whole .eml file to the clamd socket, e.g. the EICAR test file as an attachment, clamd scans and reports the "infected" file.

I was wondering if this can be relied upon, i.e. does clamd always unpack and check embedded MIME-part email attachments thoroughly, or did I just "get lucky" with my tests? I don't want to trust to luck.

Answer 1

I think I answered my own question. Documentation https://github.com/Cisco-Talos/clamav-faq states

1/ Supports almost all mail file formats

and

6/ Libclamav provides an easy and effective way to add a virus protection into your software. The library is thread-safe and transparently recognizes and scans within archives, mail files, MS Office document files, executables and other special formats.

[Libclamav is used by clamd].