Small problem after ClamAV upgrade

Wed Mar 7 16:30:08 CET 2007

Firstly, quick thanks to Phil Randal for posting the changes required to
make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's absence.

Now my problem.

After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a small issue
with attachments in a mail detected as broken executables. I know I can
report these to ClamAV but as I have never (knowingly) had this option
turned on would like it turned off.

The original mail virus scanned without problem but was quarantined as
we don't allow executables. When I try to release the mail from
quarantine (Mailwatch) the mail is blocked as ClamAV detects it as a
broken executable. It seems like I have the option "--detect-broken"
turned on but I am not sure where. Any idea's?

In /etc/MailScannner/MailScanner.conf

Virus Scanners = clamavmodule

A clamscan is fine

# clamscan ./*
./backup.exe: OK
./decdisk.exe: OK
./dispefs.exe: OK
./message: OK
./PD 8_01_01.zip: OK

Setting --detect-broken shows ClamAV incorrectly detecting the files as
broken.

# clamscan --detect-broken ./*
./backup.exe: Broken.Executable FOUND
./decdisk.exe: Broken.Executable FOUND
./dispefs.exe: Broken.Executable FOUND
./message: Broken.Executable FOUND
./PD 8_01_01.zip: Broken.Executable FOUND

Using the MailScanner clamav-wrapper is ok

# /usr/lib/MailScanner/clamav-wrapper /usr/local/
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/message: OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/backup.exe: OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/decdisk.exe:
OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/dispefs.exe:
OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/PD
8_01_01.zip: OK

>From /var/log/maillog

Mar  7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/dispefs.exe
Mar  7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/decdisk.exe
Mar  7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/backup.exe
Mar  7 08:19:21 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/PD 8_01_01.zip

Dean