Problem with ClamAVmodule

Ed Bruce ebruce at HPMICH.COM
Wed Nov 17 13:23:43 GMT 2004 

I have this problem as well. I reported it several weeks ago but never
got an answer. I'm glad to hear this is a bug 'cause I was thinking it
must have been something I had done.

Julian Field wrote:

 You have found a bug, but I'm not sure it is easy to work around.
You need to set
Allow Password-Protected Archives = yes
and not use a ruleset. I allow a ruleset as this is only the case when using
the "clamavmodule" virus scanner. I guess I should put a check in there to
ensure that this is a simple value when using clamavmodule.

On 16/11/04 11:52 pm, "Richard Lynch" <rich at MAIL.WVNET.EDU> wrote:

  

 This past weekend I upgraded our MailScanner servers to version
4.35.11-1 along with SA 3.0.1,  ClamAV-0.80, and Mail-ClamAV-0.13.  The
problem is that password protected zips always get flagged by
clamavmodule even when the recipient is listed as being allowed in a
ruleset for "Allow Password-Protected Archives".   I also have "Maximum
Archive Depth = 0".   The message in the maillog is...

... ClamAVModule::INFECTED:: Encrypted.Zip:: ...

When I run with Virus Scanners set to clamav things work as expected --
it's only when I use clamavmodule that I have this problem.  I suspect
that this is a bug in Mail-ClamAV but I suppose it could be a problem
with MS.  The relevant code is in  SweepViruses.pm at around line 998.  ...

      if (MailScanner::Config::Value('allowpasszips')) { # || $haverar) {
        $results = $Clam->scan("$dirname/$childname/$filename",
                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
                               Mail::ClamAV::CL_SCAN_OLE2());
      } else {
        $results = $Clam->scan("$dirname/$childname/$filename",
                               Mail::ClamAV::CL_SCAN_ARCHIVE() |
                               Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
                               Mail::ClamAV::CL_SCAN_OLE2());
      }

The option CL_SCAN_BLOCKENCRYPTED is used by Mail-ClamAV to pass to
ClamAV and indicates that password protected zips should be treated as
infected.  It seems clear to me that MS is calling the interface
correctly depending on the setting of "Allow Protected-Protected Archives".

So... Is anyone else having this problem?   Am I doing something dumb?
(I realize that answers to these two questions are not necessarily
dependent :) ).

 If this is a Mail-ClamAV problem how does one get it reported?

Thanks,
Rich

--


------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!
    

 --
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

  


 --
Ed Bruce
Health Plan of Michigan
Senior Programmer
Phone:  248.226.1512
FAX:    248.204.6569


--
This message, including any attachments, is intended solely for the use
of the named
recipients(s) and may contain confidential and/or privileged information.
Any
unauthorized review, use, disclosure or distribution of this
communication is expressly
prohibited. If you are not the intended recipient, please contact the
sender by reply
e-mail and destroy any and all copies of the original message. Thank you
for your
cooperation.
--
This message has been scanned for viruses and
dangerous content by Secure Resource, and is
believed to be clean.
MailScanner thanks transtec Computers for their support.
------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list