Small problem after ClamAV upgrade
Plant, Dean
dean.plant at roke.co.uk
Wed Mar 7 16:30:08 CET 2007
Firstly, quick thanks to Phil Randal for posting the changes required to
make a install-Clam-0.90.1-SA-3.1.8.tar.gz in Julian's absence.
Now my problem.
After upgrading to Mail-ClamAV-0.20 & ClamAV 0.90.1 I have a small issue
with attachments in a mail detected as broken executables. I know I can
report these to ClamAV but as I have never (knowingly) had this option
turned on would like it turned off.
The original mail virus scanned without problem but was quarantined as
we don't allow executables. When I try to release the mail from
quarantine (Mailwatch) the mail is blocked as ClamAV detects it as a
broken executable. It seems like I have the option "--detect-broken"
turned on but I am not sure where. Any idea's?
In /etc/MailScannner/MailScanner.conf
Virus Scanners = clamavmodule
A clamscan is fine
# clamscan ./*
./backup.exe: OK
./decdisk.exe: OK
./dispefs.exe: OK
./message: OK
./PD 8_01_01.zip: OK
Setting --detect-broken shows ClamAV incorrectly detecting the files as
broken.
# clamscan --detect-broken ./*
./backup.exe: Broken.Executable FOUND
./decdisk.exe: Broken.Executable FOUND
./dispefs.exe: Broken.Executable FOUND
./message: Broken.Executable FOUND
./PD 8_01_01.zip: Broken.Executable FOUND
Using the MailScanner clamav-wrapper is ok
# /usr/lib/MailScanner/clamav-wrapper /usr/local/
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/message: OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/backup.exe: OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/decdisk.exe:
OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/dispefs.exe:
OK
/var/spool/MailScanner/quarantine/20070307/l278IMl1006594/PD
8_01_01.zip: OK
>From /var/log/maillog
Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/dispefs.exe
Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/decdisk.exe
Mar 7 08:19:16 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/backup.exe
Mar 7 08:19:21 rsys002x MailScanner[11252]: ClamAVModule::INFECTED::
Broken.Executable:: ./l278IMl1006594/PD 8_01_01.zip
Dean
More information about the MailScanner
mailing list