workaround for "file size limit exceeded" messages?

Julian Field mailscanner at ecs.soton.ac.uk
Tue Nov 4 12:31:33 GMT 2003 

Good point. Sorry for the lousy code. The attached patch might work
slightly better.
You did keep your unpatched original SweepViruses.pm file, didn't you? :)

At 11:07 04/11/2003, Spicer, Kevin wrote:
>Julian Field wrote:
> > Please can you try the attached patch for
> > /usr/lib/MailScanner/MailScanner/SweepViruses.pm.
> >
> > Copy the patch file into /tmp and do this
> >          cd /usr/lib/MailScanner/MailScanner
> >          patch -p0 < /tmp/SweepViruses.pm.clam.patch
>
>This causes me false positives, but.....
>
>I managed to catch an affected file and this is what I found, first
>calling clamscan without arguments
>
>clamscan message .zip
>
>==== START CLAM OUTPUT =====
>
>photos.zip: File size limit exceeded.
>photos.zip: Worm.Mimail.C FOUND
>
>----------- SCAN SUMMARY -----------
>Known viruses: 9922
>Scanned directories: 0
>Scanned files: 2
>Infected files: 1
>Data scanned: 0.01 Mb
>I/O buffer size: 131072 bytes
>Time: 0.740 sec (0 m 0 s)
>
>==== END CLAM OUTPUT =======
>
>Then as it would be called by MailScanner
>
>clamscan --unzip --unarj --unrar --tar --tgz --lha photos.zip
>
>==== START CLAM OUTPUT =====
>
>/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip: File
>size limit exceeded.
>unzip:  cannot find
>/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip,
>/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.zip
>or /var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip.ZIP.
>/root/tmp/cba5c20453d3d300: Can't open directory.
>(raw)
>/var/spool/MailScanner/quarantine/20031104/hA49pcRQ030174/photos.zip:
>Worm.Mimail.C FOUND
>
>----------- SCAN SUMMARY -----------
>Known viruses: 9922
>Scanned directories: 1
>Scanned files: 2
>Infected files: 1
>Data scanned: 0.01 Mb
>I/O buffer size: 131072 bytes
>Time: 0.322 sec (0 m 0 s)
>
>==== END CLAM OUTPUT =======
>
>So the problem is caused by the --unzip option, which causes the internal
>scanning engine to prefix (raw).  The unzip option is actually
>unnecessary.  --unzip means 'if clams internal unzipper fails then fall
>back to looking for an external unzip program in the path'.  But I'd
>rather not remove it as its a second line of defence should the internal
>unzipper fail, plus I suspect the other arguments will cause similar behaviour.
>
>So... I think I've now fixed this with the attached patch  (I reverted
>Julian's patch from last night first because it was causing some false
>positives).
>
>Julian.  There are two other issues with the clam wrapper, caused by the
>fact it changes user to 'clam' to run external programs.
>
>1) The default tmpdir (/root/tmp) isn't writable by clam, therefore it
>can't unzip using an external program.  We need to specify
>--tempdir=/some/writable/path in the wrapper script.  Perhaps the wrapper
>should check for and create a clam writable subdir of
>/var/spool/MailScanner/incoming ???
>
>2) Because it changes user it can't read the original files which have
>restrictive permissions.  Maybe we need a mailscanner group which
>clam  (and any other virus scanner users) can be a member of which have
>read permissions on the whole of the incoming tree?
>
>
>
>
>BMRB International
>http://www.bmrb.co.uk
>+44 (0)20 8566 5000
>_________________________________________________________________
>This message (and any attachment) is intended only for the
>recipient and may contain confidential and/or privileged
>material.  If you have received this in error, please contact the
>sender and delete this message immediately.  Disclosure, copying
>or other action taken in respect of this email or in
>reliance on it is prohibited.  BMRB International Limited
>accepts no liability in relation to any personal emails, or
>content of any email which does not directly relate to our
>business.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SweepViruses.pm.clam.patch
Type: application/octet-stream
Size: 1291 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20031104/572c3272/SweepViruses.pm.clam.obj
-------------- next part --------------
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC  7222 11F6 5947 1415 B654

More information about the MailScanner mailing list