ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 5 21:03:01 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

When printing the names of the scanned files, neither Sophos nor
clamavmodule attempt to print out the full path of the files, only the
paths of the files relative to the directory they were asked to scan.
Clamav and Mcafee (for example) print out the whole paths of the files.
I need to be able to accurately strip off that leading path so I just
have the relative paths left. I can't make many assumptions as there may
be nasty characters in the filenames trying to confuse me. So I need to
know exactly what the directory name is that I have to remove.

With the patch I just published, MailScanner now checks the "Incoming
Work Directory" to see if it is really an absolute path and does not
contain any links.

Rose, Bobby wrote:

>Ok the issue has been solve though I don't understand why clamav has
>issue with this when clamavmodule or sophos doesn't.
>The Incoming Work Dir = /var/spool/MailScanner/incoming is softlinked to
>/tmp which is a tmpfs volume. Changing it to a absolute path does fix
>the issue when using clamav as the scanner.  As I mentioned before, I
>used to use both Sophos and clamav as the scanners but stopped using
>sophos for licensing costs.  The issue was never noticed because sophos
>didn't care about the work directory and was catching what was falling
>thru the cracks with clamav.   Using sophos or clamavmodule with the
>Incoming Work Dir using a non-absolute path worked fine and since
>Incoming Work Dir path that I was using in MailScanner.conf was the
>default value, so there was never a moment that my scrutiny would have
>noticed the comments for that setting.
>
>-=B
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Desai, Jason
>Sent: Thursday, May 05, 2005 11:25 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: ClamAV and MailScanner Bug
>
>Julian Field wrote:
>
>
>>Please tell me what the line in your /etc/MailScanner/
>>virus.scanners.conf says about clamav. Also please check that your
>>Incoming Work Directory path has no links in it. This is by far the
>>most common error and would explain your symptoms.
>>
>>
>
>Julian, I think I've suggested this before, but don't remember hearing
>back from you about it.  Would it be possible for MailScanner (possibly
>only once at startup) to determine the real path of the Incoming Work
>Directory and use that, so that symbolic links would be allowed?
>
>Granted, people are not reading the comments in the config file, and are
>misconfiguring their servers.  But to detect and still deliver a virus
>is not a good thing.  And I think with some simple code, MailScanner
>could reduce the risk of such a misconfigured server.  What do you
>think?
>
>Jase
>
>------------------------ MailScanner list ------------------------ To
>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list