stopping clamav detecting encrypted zip files
Aaron K. Moore
amoore at dekalbmemorial.com
Wed Apr 4 17:04:28 IST 2007
Gareth wrote:
> On Wed, 2007-04-04 at 16:05, am.lists wrote:
>> On 4/4/07, Gareth <list-mailscanner at linguaphone.com> wrote:
>>> I use mailscanner to manage the quaranteen.
>>> The problem that I am getting is that clamav is detecting encrypted
>>> zip files as a virus. The only config file I can find is in
>>> /usr/local/clamd.conf which sais that feature is disabled by default
>>> and I have the line commented out.
>>>
>>> Any ideas?
>>>
>>
>> Yes. It's in /etc/MailScanner.conf (or wherever your MailScanner.conf
>> is)
>>
>> # Should encrypted messages be blocked?
>> # This is useful if you are wary about your users sending encrypted
>> # messages to your competition. # This can be a ruleset so you can
>> block encrypted message to certain domains. Block Encrypted Messages
>> = no
>
> I have that set to yes which is what I want. Mailscanner detects it
> as a encrypted zip and blocks it.
> The problem I have is that clamav also detects it as a virus and so I
> am unable to release the message using mailwatch as it is classed as
> dangerous content.
Are you using the clamavmodule? I've had the same problem. There's a
commandline switch to turn that notice if when using clamscan, but not
with the module. I'd suggested earlier that someone should add code for
clamav, like the code for Sophos that allows you to specify messages to
ignore.
The behaviour in MailWatch is to prevent the release of anything with a
virus, which is generally a good thing to do. Especially if you're
allowing your users to release their own messages. Since MailScanner
thinks and encrypted file warning from ClamAV is a virus and flags
the message as such, it can not be released.
In order to release it, you'll need to manually modify the entry in the
MailWatch database for that message to clear the virusinfected flag.
$mysql -u username -p
username's password: ***********
mysql> use mailscanner;
mysql>update maillog set virusinfected=0 where id='xxxxxxxxxxx';
mysql> quit
replace xxxxxxxxxxx with the message id.
You should now be able to release the message through MailWatch.
--
Aaron Kent Moore
Information Technology Services
DeKalb Memorial Hospital, Inc.
Auburn, Indiana
Phone: 260.920.2808
E-Mail: amoore at dekalbmemorial.com
More information about the MailScanner
mailing list