ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 5 13:44:49 IST 2005


Can you try the commands I posted a while ago:

> mkdir /tmp/clamav.temptemp
> chmod go-a /tmp/clamav.temptemp
> /usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
> ----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .

with a copy of EICAR in the directory along with a few uninfected
files. Something is going seriously wrong with your copy of clamscan.

Please tell me what the line in your /etc/MailScanner/
virus.scanners.conf says about clamav. Also please check that your
Incoming Work Directory path has no links in it. This is by far the
most common error and would explain your symptoms.

On 5 May 2005, at 12:15, Rose, Bobby wrote:

> When I posted this issue others jumped on the thread about zip
> files and
> have taken this into another direction involving sober.p.  The issue
> that I was reporting was with "Virus Scanners = clamav" and it didn't
> matter what the virus was.  My tests was using eicar.doc which was
> eicar.com just renamed to avoid filename checks.  I included log
> excerpts in my original message when using "Virus Scanners =
> clamav" and
> when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
> clamavmodule", then everything works both detection and action.  If I
> use "Virus Scanners = clamav" then the only thing that works is
> detection.  It's not clamav since the virus is being detected and
> MailScannner is logging the detection.  But it's what MailScanner is
> doing after detection when using clamav versus clamavmodule.  If using
> clamavmodule, it's dropping, quarantining, warning, or whatever the
> actions may be.  If using clamav, it's not doing anything.  It says a
> the message is infected and then states 1 uninfected message was
> delivered.
>
> Bobby Rose
> Senior Systems Administrator
> MSIS Network Operations
> Wayne State University School of Medicine
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: Thursday, May 05, 2005 3:55 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> On 4 May 2005, at 22:16, Chris Stone wrote:
>
>
>> On Wednesday 04 May 2005 02:57 pm, Julian Field wrote:
>>
>>
>>> Julian Field wrote:
>>> I just tried it with 2 Worm.Sober.P messages from my own servers,
>>> and
>>>
>
>
>>> neither of them caused any problem whatsoever. Both caught just
>>> fine.
>>> Worked with Maximum Archive Depth = 0 and with = 2.
>>>
>>>
>>
>> This problem is with MS 4.34.8 and ClamAV 0.83, ClamAV Module (latest
>> from CPAN). Max Archive Depth = 0.
>>
>
> Chris, can you try with the latest MailScanner please. I still cannot
> find anything unusual whatsoever. You are running with
>
> Max Archive Depth = 0
> Virus Scanners = clamavmodule
> ClamAV 0.83
>
> (That's for my reference as people are not being clear as to whether
> they are using "clamav" or "clamavmodule".
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
> EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list