[Mimedefang] clamav oddity

Ashley M. Kirchner ashley at pcraft.com
Fri Apr 30 03:05:52 EDT 2004 

    So I have MIMEDefang sorting out virus infected e-mails in 
MD-Quarantine/virus and other spam under MD-Quarantine/spam (thanks to 
David for the undocumented code, works great.)  I see in my logs when it 
quarantines a virus and tells me what it is and all.  I have the filter 
do a action_quarantine_entire_message() when it encounters a virus.  
However, when I go back and run clamscan, or clamdscan on the qdir, it 
turns up negative.  If I download ENTIRE_MESSAGE to my local computer, 
Norton AntiVirus kicks in and tells me the file is indeed infected.  So 
I know MIMEDefang is doing it's job properly (with the aid of clamav): 
it scans, finds, and quarantines the virus.  My question is, why is it 
that when I go back and manually rescan the qdir folder, it comes up 
negative?  Case in point:

# clamscan
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/SENDER: OK
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/SENDMAIL-QID: OK
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/RECIPIENTS: OK
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/HEADERS: OK
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/MSG.0: OK
/var/spool/MD-Quarantine/virus/qdir-2004-04-30-00.47.19-001/ENTIRE_MESSAGE: 
OK

----------- SCAN SUMMARY -----------
Known viruses: 21304
Scanned directories: 1
Scanned files: 6
Infected files: 0
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 1.249 sec (0 m 1 s)


    I download ENTIRE_MESSAGE, and it's reported to have Worm.Mydoom.H 
in it, which is why MIMEDefang originally quarantined it for too (my 
logs verified this.)  So, where is clamscan failing, and why?



-- 
 H| I haven't lost my mind; it's backed up on tape somewhere.
  +--------------------------------------------------------------------
  Ashley M. Kirchner <mailto:ashley at pcraft.com>   .   303.442.6410 x130
  IT Director / SysAdmin / WebSmith             .     800.441.3873 x130
  Photo Craft Laboratories, Inc.            .     3550 Arapahoe Ave. #6
  http://www.pcraft.com ..... .  .    .       Boulder, CO 80303, U.S.A.

More information about the MIMEDefang mailing list