Virus detected by Clamd is not blocked by Mailscanner
Mark Sapiro
mark at msapiro.net
Fri Feb 19 17:42:12 UTC 2016
On 02/19/2016 12:24 AM, Heino Backhaus wrote:
> Thanks for the Answer.
>
> Good shot - but why did a new mail with the virus/Word-Document attached
> go through.
> Clamd stil detects the word document as Virus on manual command line scan.
> If you're right it should be detected as spam as soon as the Document is
> attached, right?
It is detected by clamd as
Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL
This matches something in your MailScanner configuration setting "Virus
Names Which Are Spam" so Mailscanner does not treat this detection as a
virus but rather as spam. What it then does is add a header as defined
by "Spam-Virus Header" in your MailScanner config together with the name
of the detection. The default setting is
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
So for example in my case this detection would be
X-GPC-MailScanner-SpamVirus-Report:
Sanesecurity.Malware.25947.XmlHeurGen.UNOFFICIAL
Then the next step is in /etc/MailScanner/spam.assassin.prefs.conf as
distributed, you'll see
#
# The header name in the next line must have your %org-name% added into it,
# so that it matches what is set in "Spam-Virus Header" in your
# MailScanner.conf file.
#
header MS_FOUND_SPAMVIRUS exists:X-MailScanner-SpamVirus-Report
score MS_FOUND_SPAMVIRUS 3.0
You need to edit that as it says. Again in my case I change the header
line to
header MS_FOUND_SPAMVIRUS exists:X-GPC-MailScanner-SpamVirus-Report
and you can also adjust the score as you wish. Then this clamd detection
will score that many points in spamassassin.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner
mailing list