workaround for "file size limit exceeded" messages?

Spicer, Kevin Kevin.Spicer at BMRB.CO.UK
Tue Nov 4 11:07:13 GMT 2003


Julian Field wrote:
> Please can you try the attached patch for
> /usr/lib/MailScanner/MailScanner/SweepViruses.pm.
> 
> Copy the patch file into /tmp and do this
>          cd /usr/lib/MailScanner/MailScanner
>          patch -p0 < /tmp/SweepViruses.pm.clam.patch

This causes me false positives, but.....

I managed to catch an affected file and this is what I found, first calling clamscan without arguments

clamscan message .zip

==== START CLAM OUTPUT =====

photos.zip: File size limit exceeded.
photos.zip: Worm.Mimail.C FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9922
Scanned directories: 0
Scanned files: 2
Infected files: 1
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.740 sec (0 m 0 s)

==== END CLAM OUTPUT =======

Then as it would be called by MailScanner

clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip

==== START CLAM OUTPUT =====

/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File size limit exceeded.
unzip:  cannot find /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip, /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP.
/root/tmp/cba5c20453d3d300: Can't open directory.
(raw) /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: Worm.Mimail.C FOUND

----------- SCAN SUMMARY -----------
Known viruses: 9922
Scanned directories: 1
Scanned files: 2
Infected files: 1
Data scanned: 0.01 Mb
I/O buffer size: 131072 bytes
Time: 0.322 sec (0 m 0 s)

==== END CLAM OUTPUT =======

So the problem is caused by the --unzip option, which causes the internal scanning engine to prefix (raw).  The unzip option is actually unnecessary.  --unzip means 'if clams internal unzipper fails then fall back to looking for an external unzip program in the path'.  But I'd rather not remove it as its a second line of defence should the internal unzipper fail, plus I suspect the other arguments will cause similar behaviour.

So... I think I've now fixed this with the attached patch  (I reverted Julian's patch from last night first because it was causing some false positives).

Julian.  There are two other issues with the clam wrapper, caused by the fact it changes user to 'clam' to run external programs.

1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it can't unzip using an external program.  We need to specify --tempdir=/some/writable/path in the wrapper script.  Perhaps the wrapper should check for and create a clam writable subdir of /var/spool/MailScanner/incoming ???

2) Because it changes user it can't read the original files which have restrictive permissions.  Maybe we need a mailscanner group which clam  (and any other virus scanner users) can be a member of which have read permissions on the whole of the incoming tree?




BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: SweepViruses.pm.diff
Type: application/octet-stream
Size: 496 bytes
Desc: SweepViruses.pm.diff
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/e4c0f5e8/SweepViruses.pm-0001.obj


More information about the MailScanner mailing list