Problem with ClamAVmodule

Julian Field mailscanner at ecs.soton.ac.uk
Wed Nov 17 09:04:43 GMT 2004 

You have found a bug, but I'm not sure it is easy to work around.
You need to set
Allow Password-Protected Archives = yes
and not use a ruleset. I allow a ruleset as this is only the case when using
the "clamavmodule" virus scanner. I guess I should put a check in there to
ensure that this is a simple value when using clamavmodule.

On 16/11/04 11:52 pm, "Richard Lynch" <rich at MAIL.WVNET.EDU> wrote:

> This past weekend I upgraded our MailScanner servers to version
> 4.35.11-1 along with SA 3.0.1,  ClamAV-0.80, and Mail-ClamAV-0.13.  The
> problem is that password protected zips always get flagged by
> clamavmodule even when the recipient is listed as being allowed in a
> ruleset for "Allow Password-Protected Archives".   I also have "Maximum
> Archive Depth = 0".   The message in the maillog is...
>
> ... ClamAVModule::INFECTED:: Encrypted.Zip:: ...
>
> When I run with Virus Scanners set to clamav things work as expected --
> it's only when I use clamavmodule that I have this problem.  I suspect
> that this is a bug in Mail-ClamAV but I suppose it could be a problem
> with MS.  The relevant code is in  SweepViruses.pm at around line 998.  ...
>
>       if (MailScanner::Config::Value('allowpasszips')) { # || $haverar) {
>         $results = $Clam->scan("$dirname/$childname/$filename",
>                                Mail::ClamAV::CL_SCAN_ARCHIVE() |
>                                Mail::ClamAV::CL_SCAN_OLE2());
>       } else {
>         $results = $Clam->scan("$dirname/$childname/$filename",
>                                Mail::ClamAV::CL_SCAN_ARCHIVE() |
>                                Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>                                Mail::ClamAV::CL_SCAN_OLE2());
>       }
>
> The option CL_SCAN_BLOCKENCRYPTED is used by Mail-ClamAV to pass to
> ClamAV and indicates that password protected zips should be treated as
> infected.  It seems clear to me that MS is calling the interface
> correctly depending on the setting of "Allow Protected-Protected Archives".
>
> So... Is anyone else having this problem?   Am I doing something dumb?
> (I realize that answers to these two questions are not necessarily
> dependent :) ).
>
>  If this is a Mail-ClamAV problem how does one get it reported?
>
> Thanks,
> Rich
>
> --
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list