ClamAV only scanning message headers

Jared Bater mailscanner_list at phisch.ca
Thu Oct 15 17:48:31 IST 2009 

Thanks. I have reviewed the performance tips for MailScanner, and our
system is extremely well optimized. We can easily push 500K messages/day
through Mailscanner/Spamassassin, in addition to the several million
that we drop at the MTA with DNSBLs.


The problem is that clamdscan does get properly called from
/opt/MailScanner/lib/clamav-wrapper (actually, a slightly modified
version of it to call calmdscan rather than clamscan).  The problem is
that only the message headers make it into my '
Incoming Work Dir’, which is set to /tmp.  

Here's what clamd writes out in its log, which shows that only headers
are being scanned
:
+++ Started at Thu Oct 15 11:15:29 2009
clamd daemon 0.95.2 (OS: solaris2.8, ARCH: sparc, CPU: sparc)
Log file size limited to 2097152 bytes.
Reading databases from /var/opt/csw/clamav/db
Not loading PUA signatures.
Loaded 1174218 signatures.
LOCAL: Unix socket file /tmp/clamd.socket
LOCAL: Setting connection queue length to 15
Limits: Global size limit set to 104857600 bytes.
Limits: File size limit set to 26214400 bytes.
Limits: Recursion level limit set to 16.
Limits: Files limit set to 10000.
Archive support enabled.
Algorithmic detection enabled.
Portable Executable support enabled.
ELF support enabled.
Mail files support enabled.
OLE2 support enabled.
PDF support enabled.
HTML support enabled.
Self checking every 600 seconds.
/tmp/13100/8779FCC5E3.7CB46.header: OK
/tmp/13100/87806CC5E4.586C4.header: OK
/tmp/9684/ED86FCC5F6.81C14.header: OK
/tmp/497/90E90CC5FD.57D06.header: OK
/tmp/4328/A46FDCC5D7.7A0E6.header: OK
/tmp/13100/B78E6CC605.48C0A.header: OK
/tmp/3599/7F3A9CC5B8.8843E.header: OK
  <etc, etc, etc>

What would cause only the headers to be extracted?    Is there any way
to debug MS to figure out what's going wrong with the interaction with
Clamdscan?

Spamassassin has no troubles at all, by the way.


Any help and/or guidance is greatly appreciated.

Jared




#./MailScanner  -v   
Running on
SunOS <snip>  sun4v sparc SUNW,SPARC-Enterprise-T5220
This is Perl version 5.008008 (5.8.8)

This is MailScanner version 4.56.8
Module versions are:
1.00    AnyDBM_File
1.30    Archive::Zip
1.04    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.74    File::Basename
2.09    File::Copy
2.01    FileHandle
1.08    File::Path
0.22    File::Temp
0.92    Filesys::Df
3.60    HTML::Entities
3.61    HTML::Parser
3.57    HTML::TokeParser
1.25    IO
1.14    IO::File
1.13    IO::Pipe
2.04    Mail::Header
3.07    MIME::Base64
5.427   MIME::Decoder
5.427   MIME::Decoder::UU
5.427   MIME::Head
5.427   MIME::Parser
3.07    MIME::QuotedPrint
5.427   MIME::Tools
0.13    Net::CIDR
1.09    POSIX
1.78    Socket
1.4     Sys::Hostname::Long
0.27    Sys::Syslog
1.86    Time::HiRes
1.02    Time::localtime

Optional module versions are:
0.17    Convert::TNEF
1.814   DB_File
1.25    DBD::SQLite
1.607   DBI
1.14    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.11    Digest::SHA1
missing Inline
missing Mail::ClamAV
3.002005        Mail::SpamAssassin
1.999001        Mail::SPF::Query
0.20    Net::CIDR::Lite
1.25    Net::IP
0.65    Net::DNS
0.39    Net::LDAP
missing Parse::RecDescent
missing SAVI
2.56    Test::Harness
0.92    Test::Simple
1.95    Text::Balanced
1.38    URI





Scott Silva wrote:
> on 9-29-2009 1:23 PM Jared spake the following:
>> Greetings, MailScanner community,
>>
>> I have been using MailScanner with Postfix and ClamAV for several years
>> now and it has been an extremely effective system for combating spam and
>> malware for my users. I have just refreshed our system to bring the
>> relevant software up to a reasonable rev as well as putting it on much
>> more capable hardware.
>>
>> Everything seems to be working with the exception of my virus scanning.
>> Here’s the situation:
>> My ‘Incoming Work Dir’ is set to /tmp (as it’s in RAM rather than on
>> disk for speed). As mail comes in, I can see that a MailScanner child
>> creates a subdirectory of /tmp with its PID, and then calls the ClamAV
>> wrapper to scan that directory. My expectation is that MailScanner
>> decodes all MIME parts and decodes Base64 for the AV engine to troll and
>> will leave them in that temporary directory.
>>
>> The problem is that the only file being written out into those
>> directories is the message header – no other MIME parts (or even a
>> plain-text part, for that matter) ever make it into the directory. As a
>> result, ClamAV is unable to detect infections because it will never see
>> them.
>>
>> I have confirmed that ClamAV is able to detect viruses (by using an
>> EICAR test file) when run from the command line and/or the MailScanner
>> wrapper script, and that Clam is only being “fed” files like
>> /tmp/PID/MessageID.header
>>
>> Is there something that I’m missing in my install? Do I have a
>> fundamental misunderstanding of how MailScanner interacts with ClamAV
>> via the wrapper? I have tried running MailScanner in debug mode, but
>> there’s really no useful information in there.
>>
>> Any guidance would be very much appreciated!
>> <Snip>
>
> Read http://wiki.mailscanner.info/doku.php?id=maq:index#optimization_tips
>
> and maybe
> http://wiki.mailscanner.info/doku.php?id=maq:index#i_don_t_get_output_from_clamav_or_other_anti-virus_what_is_wrong
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091015/98854161/attachment.html

More information about the MailScanner mailing list