clamd configuration?

[Rick Cooper]

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of Chris Yuzik
 > Sent: Tuesday, July 03, 2007 10:51 PM
 > To: MailScanner discussion
 > Subject: Re: clamd configuration?
 > 
[...]

 > Rick,
 > 
 > Ok, here you go. I put MailScanner into debug mode, did a 
 > lint, plopped 
 > a message with the eicar test file into the inqueue, etc. Looks like 
 > clamd is called and the messages handed off, but it doesn't 
 > find the virus.
 > 
 > Chris
 > 

Ok, sorry so spotty on returns, My mother in-law passed away Fri and the
weekend through last night was spent with all the duties entailed with such
an event (and of course my Wife and Kids). My guess is permissions are
insufficient, check the user that clamd is running under. If it's not root
then make sure you have added the correct MailScanner config params at the
working dir setup or add the MS user to clam's group and turn on
supplementary groups in the clamd.conf. I am testing with a situation where
I am running the daemon with insufficient perms now and I get: "Access
denied. ERROR" from the daemon however the line:

	elsif ($rest =~ /^.+\sERROR$/) {

Is not catching the above (because $rest is empty) thus it's falling through
to 

	      } else {
        print "CLEAN:: :: $dirname/$childname/$filename\n";

Which it should never do, IMHO. I clipped this from the clamavmodule code so
perhaps clamavmodule does return other items. 

Julian, I really haven't the time to D/L and patch the release code, perhaps
you can add the following:

	  # If we get an access denied error then print the properly
	  # formatted error and leave
	  print "ERROR::Permissions Problem Clamd was denied access to " .
			   "$ScanDir::$ScanDir\n"
			   if $results =~ /\.\/Access denied. ERROR/;
	  last if $results =~ /\.\/Access denied. ERROR/;

Above : 
	next if $results =~ /^\.\/OK/; (about line 3316 or so in
SweepViruses.pm) 

as this will catch the access denied line. Since I took the logic from
clamavmodule I never thought about permission problems which clamavmodule
couldn't have (I would think). This will cause the parser to see the error,
but bear in mind any error in the parser results in MailScanner flagging the
message as having a virus in the log, but it passes the attachment by
because there is no filename to flag. It does generate an obvious error that
any semi-alert admin will catch however :

ERROR::Permissions Problem Clamd was denied access to /dev/shm/15408

Julian : I think the section that results in: 
	print "CLEAN:: :: $dirname/$childname/$filename\n"; 
should be changed to
	print "ERROR::UNKNOWN RETURN FROM CLAMD $result :: $ScanDir\n";

As we catch OK/ERROR/INFECTED above it and anything else has to be a
problem. 

Sorry for not having caught that possibility sooner. Also sorry if this post
is less than coherent. If Julian hasn't the time to post a patch then I
should be able to get to it by the weekend as some rather large projects are
piling up on me due to death and holiday (which I really shouldn't work this
time).

Rick



--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.