clamavmodule

Julian Field MailScanner at ecs.soton.ac.uk
Tue Nov 29 15:59:08 GMT 2005 

-----BEGIN PGP SIGNED MESSAGE-----

If you quarantine the attachment, then run clamscan on it by hand,  
what do you get?

On 29 Nov 2005, at 15:50, Jeff A. Earickson wrote:

> Gang,
>
> I boosted the Clamavmodule Recursion level to 8, applied the patch
> below, switched from clamav to clamavmodule and back again -- nothing.
> Clam refuses to catch the Sober.U/Sober-Z virus for me.  Sophos is
> on the job though.  My setup: Solaris 9, ClamAV 0.87.1, MS 4.47.4,
> sophos 3.99.  <head scratch>
>
> Jeff Earickson
> Colby College
>
> On Wed, 23 Nov 2005, Rick Cooper wrote:
>
>> Date: Wed, 23 Nov 2005 10:22:41 -0500
>> From: Rick Cooper <rcooper at DWFORD.COM>
>> Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: clamavmodule
>>
>>  -----Original Message-----
>>  From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] 
>> On Behalf Of Rodney Green
>>  Sent: Wednesday, November 23, 2005 7:15 AM
>>  To: MAILSCANNER at JISCMAIL.AC.UK
>>  Subject: clamavmodule
>>
>>
>>  Hello,
>>
>>  With the recent Sober outbreak I have just noticed that ClamAV  
>> does not appear to be scanning. I'm using both bitdefender and  
>> ClamAV and bitdefender is listed as having detected the virus/worm  
>> but ClamAV is not. I'm using clamavmodule, MailScanner 4.37.7,  
>> ClamAV version 0.87.1. Any ideas why clam isn't scanning?
> [snip]
>>
>>  [Rick Cooper]
>>
>>  Ok I noted a couple of things that could cause a problem.  
>> MailScanner.conf
>>
>>  ClamAVmodule Maximum Recursion Level should be at least 8, don't  
>> know what the default is
>>  ClamAVmodule Maximum Compression Ratio should be at least 250,  
>> don't know what the default is
>>
>>  Apply the following patch, if Julian ok's it of course, to  
>> SweepViruses.pm. It adds CL_SCAN_BLOCKBROKEN() because,  
>> apparently, if this is not set it may not handle several viruses  
>> correctly. The clam author (tomitz?) was mostly concerned about  
>> the user's maxrecursion being below 8 and flatly state at his  
>> current setting (I think it was one) Clam would miss a large  
>> number of malware.
>>
>>  Julian, do you think CL_SCAN_BLOCKBROKEN() should be a default or  
>> a config option. Broken PE files are pretty much always malware  
>> anyway.
>>
>>  ================================= Cut below ==========
>>  --- SweepViruses.pm     Wed Nov 23 10:08:36 2005
>>  +++ SweepVirusesClamFix.pm      Wed Nov 23 10:09:10 2005
>>  @@ -1023,15 +1023,17 @@
>>           $results = $Clam->scan("$dirname/$childname/$filename",
>>                                  Mail::ClamAV::CL_SCAN_STDOPT() |
>>                                  Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>                                  Mail::ClamAV::CL_SCAN_PE() |
>>  +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN 
>> () |
>>                                  Mail::ClamAV::CL_SCAN_OLE2());
>>         } else {
>>           $results = $Clam->scan("$dirname/$childname/$filename",
>>                                  Mail::ClamAV::CL_SCAN_STDOPT() |
>>                                  Mail::ClamAV::CL_SCAN_ARCHIVE() |
>>                                  Mail::ClamAV::CL_SCAN_PE() |
>>                                   
>> Mail::ClamAV::CL_SCAN_BLOCKENCRYPTED() |
>>  +                               Mail::ClamAV::CL_SCAN_BLOCKBROKEN 
>> () |
>>                                  Mail::ClamAV::CL_SCAN_OLE2());
>>         }
>>
>>         unless ($results) {
>>
>>  ======================== End Cut ======================
>>
>>  Rick

- -- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.3 (Build 2932)

iQEVAwUBQ4x6zvw32o+k+q+hAQFYHQf/cvoJ2n2ZxBHm+PAwEEsMoq4ifxh0FtX3
GD1qCwo62Kuxk0cRygGJoQi0J/h4VPmakv1KJeM6tqAxXMWI8P6ms4j6m8+KLccY
25NPTGszvRdYU7d1zDEdPkKT0wQ9MEGji7PSCrutKPBx8pyXCeYNAynf5XO+5qyg
32cRMR6NrdV6XyTFFtPlX5rWMRncoMIesGfk2ENcNuxIm+Llyp6HMki0HrsU9ana
yfc7dsm1KX55PBj06SnLUGPLzJis+FhQUzZ+LvlepX6IhoVIj2o1RkPYf0gMKwbD
Mxv5Ea4286UyFVgogbN+xVccr48F6oEYRvXLVxbVRsYim+5jBB+HMA==
=Eh/9
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list