ClamAV suggestion

[Glenn Steen]

On 09/03/07, Fabio Pedretti <pedretti at eco.unibs.it> wrote:
> Hi,
> I am using MailScanner 4.44.6 (I know it's old, but seems that my
> suggestions are not implemented in current code) with clamscan 0.90.1
> (not Mail::Clam module). I have some suggestions for using it with
> clamav:
This simply cannot be the sole reason to hold off an upgrade.
You should seriously consider spending the approximately 10 minutes it
takes ot perform and perhaps 30 minutes it takes to adjust defaults to
new settings afterward. How to perform an upgrade is mentioned in the
MAQ.

> 1) clamscan is called with the option --disable-summary , which is
> deprecated. --no-summary should be used instead.
I would assume this is the same in the latest MS since it predates the
0.90 release of clamav... And since Jules is hospitalised at the
moment, I wouldn't expect any adjustment to this in the near future...
But having said that, it is quite simple to do yourself:
Simply edit the appropriate clamav initialisation stanza in the
SweepViruses.pm ... If you feel like it, make a patch/diff and post it
here.

> 2) I noticed that some phishing mail are not blocked (I am also using
> the signatures of sanesecurity). If I do a clamscan on the full
> original mail with headers, clamscan find the virus (I can provide a
> sample if needed). Seems the problem is that MailScanner extracts the
> content of the mail (body + attachment) and scans it, but some
> phishing mail are only detected if the full headers are present (in
> the clamav DB in the extended signature format, option 4 is for mail
> files, look at signatures.pdf in clamav source, and are detected only
> if full mail with headers is scanned).
> MailScanner should be modified so that all the original mail (with
> headers and without extracting attachment) should be passed to
> clamscan, so all virus can be catched.
I'm not close to any code, but ... thios is probably not true. Maybe a
bug in your old version, but I don't think this is how it works (the
headers should be included too). Hm. Will have to find time/energy to
look at some code to say more.

> 3) Would be nice to have a module which directly uses clamd and then
> fallback to clamscan if it's not working, other than clamscan or
> Mail::Clam options.
The consensus thus far is that it'd be a waste of effort, but then
again... I do beleive some have modified the clamscan wrapper to run
clamdscan, and further make it "fall back" on clamscan should be
rather trivial... Again, will have to look at some code to say more.

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se