clamavmodule

Julian Field MailScanner at ecs.soton.ac.uk
Wed Nov 23 17:48:15 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

That sounds good to me. Will all be in the next release.

Rick Cooper wrote:

>  
>
>     -----Original Message-----
>     *From:* MailScanner mailing list
>     [mailto:MAILSCANNER at JISCMAIL.AC.UK]*On Behalf Of *Rodney Green
>     *Sent:* Wednesday, November 23, 2005 7:15 AM
>     *To:* MAILSCANNER at JISCMAIL.AC.UK
>     *Subject:* clamavmodule
>
>     Hello,
>
>     With the recent Sober outbreak I have just noticed that ClamAV
>     does not appear to be scanning. I'm using both bitdefender and
>     ClamAV and bitdefender is listed as having detected the virus/worm
>     but ClamAV is not. I'm using clamavmodule, MailScanner 4.37.7,
>     ClamAV version 0.87.1. Any ideas why clam isn't scanning?
>
>     Settings related -
>
>     MailScanner.conf:
>         Virus Scanners = clamavmodule bitdefender
>
>     virus.scanners.conf:
>         bitdefender     /usr/lib/MailScanner/bitdefender-wrapper /opt/bdc
>         clamav          /usr/lib/MailScanner/clamav-wrapper     /usr/local
>         clamavmodule    /bin/false                              /tmp
>        
>
>     Thanks,
>     Rod
>
>     [Rick Cooper] 
>      
>     Ok I noted a couple of things that could cause a problem.
>     MailScanner.conf
>      
>     ClamAVmodule Maximum Recursion Level should be at least 8, don't
>     know what the default is
>     ClamAVmodule Maximum Compression Ratio should be at least 250,
>     don't know what the default is
>      
>     Apply the following patch, if Julian ok's it of course, to
>     SweepViruses.pm. It adds CL_SCAN_BLOCKBROKEN() because,
>     apparently, if this is not set it may not handle several viruses
>     correctly. The clam author (tomitz?) was mostly concerned about
>     the user's maxrecursion being below 8 and flatly state at his
>     current setting (I think it was one) Clam would miss a large
>     number of malware.
>      
>     Julian, do you think CL_SCAN_BLOCKBROKEN() should be a default or
>     a config option. Broken PE files are pretty much always malware
>     anyway.
>      
>     ================================= Cut below ==========
>     --- SweepViruses.pm     Wed Nov 23 10:08:36 2005
>     +++ SweepVirusesClamFix.pm      Wed Nov 23 10:09:10 2005
>     @@ -1023,15 +1023,17 @@
>              $results = $Clam->scan("$dirname/$childname/$filename",
>                                     Mail::ClamAV::CL_SCAN_STDOPT() |
>                                     Mail::ClamAV::CL_SCAN_ARCHIVE() |
>                                     Mail::ClamAV::CL_SCAN_PE() |
>     +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
>                                     Mail::ClamAV::CL_SCAN_OLE2());
>            } else {
>              $results = $Clam->scan("$dirname/$childname/$filename",
>                                     Mail::ClamAV::CL_SCAN_STDOPT() |
>                                     Mail::ClamAV::CL_SCAN_ARCHIVE() |
>                                     Mail::ClamAV::CL_SCAN_PE() |
>                                    
>     Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>     +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
>                                     Mail::ClamAV::CL_SCAN_OLE2());
>            }
>      
>            unless ($results) {
>     ======================== End Cut ======================
>      
>     Rick
>
>  
> -- 
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> *Support MailScanner development - buy the book off the website!*


-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list