Clam not scanning

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jul 22 16:36:45 IST 2008 


Steven Andrews wrote:
> Actually, the more I look into this it appears that MS is catching them
> as bad content since exe's are there when it's greater than zero; so I
> suppose that is correct behavior, no?  When is clam triggered?
>   
ClamAV is triggered any time there is a virus. The archive unpacking 
(when scanning for viruses) is completely left up to the virus scanner 
to do, MailScanner does not attempt to exert any control over that.

However, MailScanner does control the unpacking for all tests such as 
filename and filetype tests. So when Max Archive Depth > 0, executables 
and *.exe files in archives will trigger the filename and filetype traps.

I hope this makes some sense to you. Virus scanners are already very 
good at unpacking and scanning inside archives of all sorts, so I leave 
them to do it. I only do it myself when I need to for other tests on the 
archives' contents.

Jules.

>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: Tuesday, July 22, 2008 9:42 AM
> To: MailScanner discussion
> Subject: Re: Clam not scanning
>
>
>
> Steven Andrews wrote:
>   
>> When I've got "Maximum Archive Depth" set to 0, clam won't scan inside
>>     
>
>   
>> zip files even though the setting says it doesn't affect scanning in 
>> archives at all.
>>
>>     
> In which case something outside MailScanner is affecting your ClamAV 
> setup. Believe me, the "Maximum Archive Depth" setting really has 
> nothing to do with virus scanning whatsoever. Your ClamAV should be set 
> to scan inside archives by default, check that for starters. Set "Virus 
> Scanners = clamav" and try just using the command-line "clamscan" to 
> scan a zip file by hand.
>   
>> MS is 4.70.7-1
>>
>> Clam is 0.91.1
>>
>> SA is 3.2.5
>>
>> Tried it with the eicar test from here: 
>> http://www.aleph-tec.com/eicar/index.php
>>
>> I had set max archive depth at zero because we get a lot of zips and 
>> sometimes they get blocked because it can't unpack them.
>>
>> Thoughts?
>>
>> *Steven R. Andrews*, President
>> Andrews Companies Incorporated
>> /Small Business Information Technology Consultants/
>> sandrews at andrewscompanies.com
>> Phone: 317.536.1807
>>
>> View Steven Andrews's profile on LinkedIn 
>> <http://www.linkedin.com/in/stevenandrews>
>>
>> "If your only tool is a hammer, every problem looks like a nail."
>>
>>     
>
> Jules
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list