ClamAV only scanning message headers

Jared mailscanner_list at phisch.ca
Tue Sep 29 21:23:36 IST 2009 

Greetings, MailScanner community,
 
I have been using MailScanner with Postfix and ClamAV for several years
now and it has been an extremely effective system for combating spam and
malware for my users.  I have just refreshed our system to bring the
relevant software up to a reasonable rev as well as putting it on much
more capable hardware.

Everything seems to be working with the exception of my virus scanning. 
Here’s the situation:
My ‘Incoming Work Dir’ is set to /tmp (as it’s in RAM rather than on
disk for speed).  As mail comes in, I can see that a MailScanner child
creates a subdirectory of /tmp with its PID, and then calls the ClamAV
wrapper to scan that directory.  My expectation is that MailScanner
decodes all MIME parts and decodes Base64 for the AV engine to troll and
will leave them in that temporary directory.

The problem is that the only file being written out into those
directories is the message header – no other MIME parts (or even a
plain-text part, for that matter) ever make it into the directory.  As a
result, ClamAV is unable to detect infections because it will never see
them. 
 
I have confirmed that ClamAV is able to detect viruses (by using an
EICAR test file) when run from the command line and/or the MailScanner
wrapper script, and that Clam is only being “fed” files like
/tmp/PID/MessageID.header
 
Is there something that I’m missing in my install?  Do I have a
fundamental misunderstanding of how MailScanner interacts with ClamAV
via the wrapper?  I have tried running MailScanner in debug mode, but
there’s really no useful information in there.
 
Any guidance would be very much appreciated!
 
Jared




#./MailScanner -v
Running on
SunOS *****  5.10 Generic_141414-08 sun4v sparc SUNW,SPARC-Enterprise-T5220
This is Perl version 5.008008 (5.8.8)
 
This is MailScanner version 4.56.8
Module versions are:
1.00    AnyDBM_File
1.30    Archive::Zip
1.04    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.74    File::Basename
2.09    File::Copy
2.01    FileHandle
1.08    File::Path
0.22    File::Temp
0.92    Filesys::Df
3.60    HTML::Entities
3.61    HTML::Parser
3.57    HTML::TokeParser
1.25    IO
1.14    IO::File
1.13    IO::Pipe
2.04    Mail::Header
3.07    MIME::Base64
5.427   MIME::Decoder
5.427   MIME::Decoder::UU
5.427   MIME::Head
5.427   MIME::Parser
3.07    MIME::QuotedPrint
5.427   MIME::Tools
0.13    Net::CIDR
1.09    POSIX
1.78    Socket
1.4     Sys::Hostname::Long
0.27    Sys::Syslog
1.86    Time::HiRes
1.02    Time::localtime
 
Optional module versions are:
0.17    Convert::TNEF
1.814   DB_File
1.25    DBD::SQLite
1.607   DBI
1.14    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.11    Digest::SHA1
missing Inline
missing Mail::ClamAV
3.002005        Mail::SpamAssassin
1.999001        Mail::SPF::Query
0.20    Net::CIDR::Lite
1.25    Net::IP
0.65    Net::DNS
0.39    Net::LDAP
missing Parse::RecDescent
missing SAVI
2.56    Test::Harness
0.92    Test::Simple
1.95    Text::Balanced
1.38    URI

More information about the MailScanner mailing list