Problem with ClamAVmodule

Richard Lynch rich at MAIL.WVNET.EDU
Tue Nov 16 23:52:50 GMT 2004


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

This past weekend I upgraded our MailScanner servers to version
4.35.11-1 along with SA 3.0.1,  ClamAV-0.80, and Mail-ClamAV-0.13.  The
problem is that password protected zips always get flagged by
clamavmodule even when the recipient is listed as being allowed in a
ruleset for "Allow Password-Protected Archives".   I also have "Maximum
Archive Depth = 0".   The message in the maillog is...

... ClamAVModule::INFECTED:: Encrypted.Zip:: ...

When I run with Virus Scanners set to clamav things work as expected --
it's only when I use clamavmodule that I have this problem.  I suspect
that this is a bug in Mail-ClamAV but I suppose it could be a problem
with MS.  The relevant code is in  SweepViruses.pm at around line 998.  ...

      if (MailScanner::Config::Value('allowpasszips')) { # || $haverar) {
        $results = $Clam->scan("$dirname/$childname/$filename",
                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
                               Mail::ClamAV::CL_SCAN_OLE2());
      } else {
        $results = $Clam->scan("$dirname/$childname/$filename",
                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
                               Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
                               Mail::ClamAV::CL_SCAN_OLE2());
      }

The option CL_SCAN_BLOCKENCRYPTED is used by Mail-ClamAV to pass to
ClamAV and indicates that password protected zips should be treated as
infected.  It seems clear to me that MS is calling the interface
correctly depending on the setting of "Allow Protected-Protected Archives".

So... Is anyone else having this problem?   Am I doing something dumb?
(I realize that answers to these two questions are not necessarily
dependent :) ).

 If this is a Mail-ClamAV problem how does one get it reported?

Thanks,
Rich

--


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Text/X-VCARD (charset: UTF-8 "Internet-standard Unicode") ]
    [ (Name: "rich.vcf")  13 lines. ]
    [ Unable to print this part. ]




More information about the MailScanner mailing list