ClamAV suggestion

[Fabio Pedretti]

Citando Glenn Steen <glenn.steen at gmail.com>:

> On 09/03/07, Fabio Pedretti <pedretti at eco.unibs.it> wrote:
>> Hi,
>> I am using MailScanner 4.44.6 (I know it's old, but seems that my
>> suggestions are not implemented in current code) with clamscan 0.90.1
>> (not Mail::Clam module). I have some suggestions for using it with
>> clamav:
> This simply cannot be the sole reason to hold off an upgrade.
> You should seriously consider spending the approximately 10 minutes it
> takes ot perform and perhaps 30 minutes it takes to adjust defaults to
> new settings afterward. How to perform an upgrade is mentioned in the
> MAQ.

I'll look at it, thanks. However I am not inclined to have to upgrade  
a critical software on a server serving hundreds of users, unless  
there are security problems.

>> 1) clamscan is called with the option --disable-summary , which is
>> deprecated. --no-summary should be used instead.
> I would assume this is the same in the latest MS since it predates the
> 0.90 release of clamav...

It was not deprecated in 0.90, but at least in 0.70, released on 2004-04-16.

> And since Jules is hospitalised at the moment,

I'm sorry of that.

> I wouldn't expect any adjustment to this in the near future...
> But having said that, it is quite simple to do yourself:
> Simply edit the appropriate clamav initialisation stanza in the
> SweepViruses.pm ... If you feel like it, make a patch/diff and post it
> here.
>
>> 2) I noticed that some phishing mail are not blocked (I am also using
>> the signatures of sanesecurity). If I do a clamscan on the full
>> original mail with headers, clamscan find the virus (I can provide a
>> sample if needed). Seems the problem is that MailScanner extracts the
>> content of the mail (body + attachment) and scans it, but some
>> phishing mail are only detected if the full headers are present (in
>> the clamav DB in the extended signature format, option 4 is for mail
>> files, look at signatures.pdf in clamav source, and are detected only
>> if full mail with headers is scanned).
>> MailScanner should be modified so that all the original mail (with
>> headers and without extracting attachment) should be passed to
>> clamscan, so all virus can be catched.
> I'm not close to any code, but ... thios is probably not true. Maybe a
> bug in your old version, but I don't think this is how it works (the
> headers should be included too). Hm. Will have to find time/energy to
> look at some code to say more.

I can confirm this is the way scanning works in 4.44.6. I'll look at  
newer version... if I'll find some time.

>> 3) Would be nice to have a module which directly uses clamd and then
>> fallback to clamscan if it's not working, other than clamscan or
>> Mail::Clam options.
> The consensus thus far is that it'd be a waste of effort, but then
> again... I do beleive some have modified the clamscan wrapper to run
> clamdscan, and further make it "fall back" on clamscan should be
> rather trivial... Again, will have to look at some code to say more.

That's what I am also doing now. However, best would be to connect to  
clamd directly to its socket from MailScanner, without call clamdscan  
(and adding a new module).