tons of infected files getting though??? and clamscan logging

[Chris Yuzik]

Chris Yuzik wrote:

> Ok, then how do we go about figuring out if ClamAV is even scanning the
> message? I don't see much in the maillog that indicates whether it was
> or wasn't scanned by Clam and what the result was.
>
> Is there a way of turning on a supplemental log for ClamAV? Adjusting
> the wrapper, perhaps?

Nothing like responding to your own emails. :-)

I've modified the clamav-wrapper file by changing the ScanOptions= line
to the following:
ScanOptions="$ScanOptions --unzip -l /tmp/clamscanlog --log-verbose"

I now have a log entry in /tmp/clamscanlog each time a message gets
logged. Unfortunately the log tells me almost nothing. A typical entry
looks like this:
--------------------------------------
Scan started: Tue Jan 27 14:32:06 2004

And an entry where it finds an infected file looks like this:
--------------------------------------
Scan started: Tue Jan 27 14:33:21 2004

/var/spool/MailScanner/incoming/26770/./i0RMXBV26943/file.pif:
Worm.SCO.A FOUND

Even with "--log-verbose" enabled, I'm not getting the kind of
information in the log file that I get if I run clamscan by hand with
the same options. Not sure why.

I'm not any closer (yet) to figuring out why some infected files walk
right by the virus scanner.

If I find a file that was originally marked as spam--but not
infected--how do I resubmit the file back to sendmail so it gets
processed by MailScanner again? For example, I've got a file called
i0RNAtV30557 that certainly looks suspicious, but when it went through
MailScanner it only got marked as Spam.

Any further thoughts out there?

Cheers,
Chris