clamavmodule

[Rick Cooper]

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

 
-----Original Message-----
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Rodney Green
Sent: Wednesday, November 23, 2005 7:15 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: clamavmodule

      Hello,

      With the recent Sober outbreak I have just noticed that
      ClamAV does not appear to be scanning. I'm using both
      bitdefender and ClamAV and bitdefender is listed as having
      detected the virus/worm but ClamAV is not. I'm using
      clamavmodule, MailScanner 4.37.7, ClamAV version 0.87.1. Any
      ideas why clam isn't scanning?

      Settings related -

      MailScanner.conf:
          Virus Scanners = clamavmodule bitdefender

      virus.scanners.conf:
          bitdefender     /usr/lib/MailScanner/bitdefender-wrapper
      /opt/bdc
          clamav          /usr/lib/MailScanner/clamav-wrapper    
      /usr/local
          clamavmodule    /bin/false                             
      /tmp
         

      Thanks,
      Rod

      [Rick Cooper] 
 
Ok I noted a couple of things that could cause a problem.
MailScanner.conf
 
ClamAVmodule Maximum Recursion Level should be at least 8, don't
know what the default is
ClamAVmodule Maximum Compression Ratio should be at least 250,
don't know what the default is
 
Apply the following patch, if Julian ok's it of course, to
SweepViruses.pm. It adds CL_SCAN_BLOCKBROKEN() because, apparently,
if this is not set it may not handle several viruses correctly. The
clam author (tomitz?) was mostly concerned about the user's
maxrecursion being below 8 and flatly state at his current setting
(I think it was one) Clam would miss a large number of malware.
 
Julian, do you think CL_SCAN_BLOCKBROKEN() should be a default or a
config option. Broken PE files are pretty much always malware
anyway.
 
================================= Cut below ==========
--- SweepViruses.pm     Wed Nov 23 10:08:36 2005
+++ SweepVirusesClamFix.pm      Wed Nov 23 10:09:10 2005
@@ -1023,15 +1023,17 @@
         $results = $Clam->scan("$dirname/$childname/$filename",
                                Mail::ClamAV::CL_SCAN_STDOPT() |
                                Mail::ClamAV::CL_SCAN_ARCHIVE() |
                                Mail::ClamAV::CL_SCAN_PE() |
+                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN()
|
                                Mail::ClamAV::CL_SCAN_OLE2());
       } else {
         $results = $Clam->scan("$dirname/$childname/$filename",
                                Mail::ClamAV::CL_SCAN_STDOPT() |
                                Mail::ClamAV::CL_SCAN_ARCHIVE() |
                                Mail::ClamAV::CL_SCAN_PE() |
                               
Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
+                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN()
|
                                Mail::ClamAV::CL_SCAN_OLE2());
       }
 
       unless ($results) {
======================== End Cut ======================
 
Rick

 
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!