clamavmodule
Jeff A. Earickson
jaearick at COLBY.EDU
Tue Nov 29 15:50:34 GMT 2005
Gang,
I boosted the Clamavmodule Recursion level to 8, applied the patch
below, switched from clamav to clamavmodule and back again -- nothing.
Clam refuses to catch the Sober.U/Sober-Z virus for me. Sophos is
on the job though. My setup: Solaris 9, ClamAV 0.87.1, MS 4.47.4,
sophos 3.99. <head scratch>
Jeff Earickson
Colby College
On Wed, 23 Nov 2005, Rick Cooper wrote:
> Date: Wed, 23 Nov 2005 10:22:41 -0500
> From: Rick Cooper <rcooper at DWFORD.COM>
> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: clamavmodule
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Rodney Green
> Sent: Wednesday, November 23, 2005 7:15 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: clamavmodule
>
>
> Hello,
>
> With the recent Sober outbreak I have just noticed that ClamAV does not appear to be scanning. I'm using both bitdefender and ClamAV and bitdefender is listed as having detected the virus/worm but ClamAV is not. I'm using clamavmodule, MailScanner 4.37.7, ClamAV version 0.87.1. Any ideas why clam isn't scanning?
[snip]
>
> [Rick Cooper]
>
> Ok I noted a couple of things that could cause a problem. MailScanner.conf
>
> ClamAVmodule Maximum Recursion Level should be at least 8, don't know what the default is
> ClamAVmodule Maximum Compression Ratio should be at least 250, don't know what the default is
>
> Apply the following patch, if Julian ok's it of course, to SweepViruses.pm. It adds CL_SCAN_BLOCKBROKEN() because, apparently, if this is not set it may not handle several viruses correctly. The clam author (tomitz?) was mostly concerned about the user's maxrecursion being below 8 and flatly state at his current setting (I think it was one) Clam would miss a large number of malware.
>
> Julian, do you think CL_SCAN_BLOCKBROKEN() should be a default or a config option. Broken PE files are pretty much always malware anyway.
>
> ================================= Cut below ==========
> --- SweepViruses.pm Wed Nov 23 10:08:36 2005
> +++ SweepVirusesClamFix.pm Wed Nov 23 10:09:10 2005
> @@ -1023,15 +1023,17 @@
> $results = $Clam->scan("$dirname/$childname/$filename",
> Mail::ClamAV::CL_SCAN_STDOPT() |
> Mail::ClamAV::CL_SCAN_ARCHIVE() |
> Mail::ClamAV::CL_SCAN_PE() |
> + Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
> Mail::ClamAV::CL_SCAN_OLE2());
> } else {
> $results = $Clam->scan("$dirname/$childname/$filename",
> Mail::ClamAV::CL_SCAN_STDOPT() |
> Mail::ClamAV::CL_SCAN_ARCHIVE() |
> Mail::ClamAV::CL_SCAN_PE() |
> Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
> + Mail::ClamAV::CL_SCAN_BLOCKBROKEN() |
> Mail::ClamAV::CL_SCAN_OLE2());
> }
>
> unless ($results) {
>
> ======================== End Cut ======================
>
> Rick
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list