UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Thu Jul 19 13:11:21 IST 2007 

Rick,

SA is missing a lot of these whereas SANE is picking them up.  I have changed the code too be :-

if ($filename =~ /.+?\sFOUND$/ && $rest eq '') {
         $rest = $filename;
         $filename = $childname;
         $childname = 'header';
       }

instead of using a '.' as it may get pattern matched later on.

----- Original Message -----
From: "Rick Cooper" <rcooper at dwford.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, July 19, 2007 12:54:28 PM (GMT) Europe/London
Subject: RE: UNKNOWN CLAMD RETURN

 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of UxBoD
 > Sent: Thursday, July 19, 2007 7:36 AM
 > To: MailScanner discussion
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > Rick,
 > 
 > Here is the output :-
 > 
 > [root at bianchi tmp]# clamscan /tmp/eicar.com 
 > /tmp/eicar.com: Eicar-Test-Signature FOUND
 > 
 > ----------- SCAN SUMMARY -----------
 > Known viruses: 154131
 > Engine version: 0.91.1
 > Scanned directories: 0
 > Scanned files: 1
 > Infected files: 1
 > Data scanned: 0.00 MB
 > Time: 1.491 sec (0 m 1 s)
 > [root at bianchi tmp]# clamdscan /tmp/eicar.com 
 > /tmp/eicar.com: Eicar-Test-Signature FOUND
 > 
 > ----------- SCAN SUMMARY -----------
 > Infected files: 1
 > Time: 0.000 sec (0 m 0 s)
 > 
 > But as it is the header then that is probably why it is not 
 > giving a filename that has been scanned.


[..]

I am kind of wondering if the file(s) in ./ shouldn't be ingnored, I believe
(Julian?) the only file in the ./ dir is the header file and the only rules
that would trigger on a header file would be the SaneSecurity spam sigs.

Julian, do you agree with skipping anything in the root of the ScanDir and
let SA catch it (hopefully), or mark the entire message as bad?

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list