Clamav suggestions
Fabio Pedretti
pedretti at eco.unibs.it
Fri May 4 11:36:13 IST 2007
I have some suggestions on using clamav in MailScanner on which I have
already sent a mail some time ago:
http://lists.mailscanner.info/pipermail/mailscanner/2007-March/071330.html
1) clamscan is called with the option --disable-summary , which is
deprecated (at least since clamav 0.70, released on 2004-04-16).
--no-summary should be used instead in SweepViruses.pm.
2) I noticed (as well as others:
http://lists.mailscanner.info/pipermail/mailscanner/2007-April/072504.html
) that some phishing mail are not blocked (I am also using
the signatures of sanesecurity). If I do a clamscan on the full
original mail with headers, clamscan find the virus (I can provide a
sample if needed). Seems the problem is that MailScanner extracts the
content of the mail (body + attachment) and scans it, but some
phishing mail are only detected if the full headers are present (in
the clamav DB in the extended signature format, option 4 is for mail
files, look at signatures.pdf in clamav source, and are detected only
if full mail with headers is scanned).
MailScanner should be modified so that all the original mail (with
headers and without extracting attachment) should be passed to
clamscan/clamd, so all virus can be catched.
3) Support for clamd trough clamdscan is nice, however, best would be
to connect to clamd directly to its socket (or network socket) from
MailScanner, without call clamdscan, and fallback to clamscan if clamd
is not working.
4) Would be nice to have the possibility to quarantine only the entire
message and not also the attachments: worse is that if there are some
compressed files, the original file as well as the content are
quarantined, doubling (or more) the space on the disk.
Thanks,
Fabio
More information about the MailScanner
mailing list