Problem with ClamAVmodule

Richard Lynch rich at MAIL.WVNET.EDU
Wed Nov 17 14:43:45 GMT 2004 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field wrote:

>You have found a bug, but I'm not sure it is easy to work around.
>You need to set
>Allow Password-Protected Archives = yes
>and not use a ruleset. I allow a ruleset as this is only the case when using
>the "clamavmodule" virus scanner. I guess I should put a check in there to
>ensure that this is a simple value when using clamavmodule.
>
>
I see.  You're testing the value of "Allow Password-Protected Archives"
which returns "0" since it's not "yes" (i.e. it's a file reference), and
it passes the "Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED()" parameter to
Mail::ClamAV.

Solving this is problematic.  What about adding a user supplied option
list for Mail::ClamAV in MailScanner.conf?  Then, you could make the
call without making the test on "allowpasszips".  Something like...

$results = $Clam->scan("$dirname/$childname/$filename",
           Mail::ClamAV::CL_SCAN_ARCHIVE() |
           MailScanner::Config::Value('clammodopt') |
           Mail::ClamAV::CL_SCAN_OLE2());

Then users could specify the CL_SCAN_BLOCKENCRYPTED option if they want it.  Or perhaps, don't pass the option at all since MS provides that facility on its own anyway.

Just a couple of suggestions off the top of my head -- you know better than I.  In my case I'm forced to abandon clamavmodule since I need the ability to control who can receive password protected zips.  Just using clamav works fine, I'm only using clamavmodule because of the better performance.

Thanks for clearing up what was happening.  I very much appreciate all
your efforts and it won't bother me too much if I have to quit using
clamavmodule.  It's nothing major.

Thanks,
Rich

>On 16/11/04 11:52 pm, "Richard Lynch" <rich at MAIL.WVNET.EDU> wrote:
>
>
>
>>This past weekend I upgraded our MailScanner servers to version
>>4.35.11-1 along with SA 3.0.1,  ClamAV-0.80, and Mail-ClamAV-0.13.  The
>>problem is that password protected zips always get flagged by
>>clamavmodule even when the recipient is listed as being allowed in a
>>ruleset for "Allow Password-Protected Archives".   I also have "Maximum
>>Archive Depth = 0".   The message in the maillog is...
>>
>>... ClamAVModule::INFECTED:: Encrypted.Zip:: ...
>>
>>When I run with Virus Scanners set to clamav things work as expected --
>>it's only when I use clamavmodule that I have this problem.  I suspect
>>that this is a bug in Mail-ClamAV but I suppose it could be a problem
>>with MS.  The relevant code is in  SweepViruses.pm at around line 998.  ...
>>
>>      if (MailScanner::Config::Value('allowpasszips')) { # || $haverar) {
>>        $results = $Clam->scan("$dirname/$childname/$filename",
>>                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>                               Mail::ClamAV::CL_SCAN_OLE2());
>>      } else {
>>        $results = $Clam->scan("$dirname/$childname/$filename",
>>                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>                               Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>>                               Mail::ClamAV::CL_SCAN_OLE2());
>>      }
>>
>>The option CL_SCAN_BLOCKENCRYPTED is used by Mail-ClamAV to pass to
>>ClamAV and indicates that password protected zips should be treated as
>>infected.  It seems clear to me that MS is calling the interface
>>correctly depending on the setting of "Allow Protected-Protected Archives".
>>
>>So... Is anyone else having this problem?   Am I doing something dumb?
>>(I realize that answers to these two questions are not necessarily
>>dependent :) ).
>>
>> If this is a Mail-ClamAV problem how does one get it reported?
>>
>>Thanks,
>>Rich
>>
>>--
>>
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store
>
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>


--



------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

    [ Part 2, Text/X-VCARD (charset: UTF-8 "Internet-standard Unicode") ]
    [ (Name: "rich.vcf")  13 lines. ]
    [ Unable to print this part. ]

More information about the MailScanner mailing list