Max file size

[Matt Kettler]

Guy Story KC5GOI wrote:
> Matt, I did add the EICAR at the end of my test text file.  Based on
> your suggestion I moved it to the top of the text file and that was
> stopped.  Putting the EICAR in the middle kept it from getting caught.
> I increased the Max SpamAssassin Size parameter from 30000 to 300000 and
> that did not clear the error message.  I will keep looking.

Again, be sure to test your files directly against your AV scanner. If your AV 
won't detect it, mailscanner won't detect it.

ClamAV will not detect the EICAR signature at the end, and probably won't detect 
it anywhere other than the beginning.

In fact, technically speaking, EICAR shouldn't even be detected when pre-pended 
to a large file.

By definition of the EICAR signature, it is only valid at the start of a file, 
and may only by followed by whitespace charachters. There must not be more than 
a total file size of 128 bytes. So, any file over 128 bytes is, by definition, 
not an EICAR signature, and AV products should ignore it.

See also:
http://www.eicar.org/anti_virus_test_file.htm

ClamAV appears to be running by the relaxed rule of detecting it at the 
beginning of the file, and allowing any arbitrary data to follow it. BitDefender 
appears to correctly ignore my large file with the EICAR signature at the front.


> Jeff mentioned looking for "Max Spam Check Size ="  I could not find
> that entry in my MailScanner.conf file.  That was also the parameter
> that my Google searches refered to.  If it is not present, is that the
> default setting?

I don't know. It seems rather odd you don't have that setting, unless you are 
running a *VERY* old MailScanner, or have been upgrading from one without using 
the upgrade script that updates your .cf file by adding in all the latest settings.