[Mimedefang] Problem scanning ZIP archives with CLAMAV

Nels Lindquist nlindq at maei.ca
Mon Feb 16 13:31:19 EST 2004


On 15 Feb 2004 at 11:57, Alain DESEINE wrote:

> At 15:04 13/02/2004 -0700, you wrote:
> >
> >Are you using *_contains_virus_clamd() or *_contains_virus_clamav()
> >functions?
> 
> I use both.

What does that gain you?  You're not increasing your likelihood of 
detection by running it through the same AV engine twice; you're just 
adding significant load by using the non-daemonised scanner.

> >The daemonized scanner requires a local socket accessible to the
> >defang user, which your configuration doesn't include.  Also note
> >that there was a bug in clamav 0.65 causing intermittent hangs; I'd
> >suggest upgrading to 0.66.
> 
> I'm not sure you're right, because when i receive a mail with a virus 
> attached (EICAR.COM for example) the virus is well found. The problem is 
> only when the virus is contained in a zip file.

Well, my installation of MIMEDefang + clamd detects zipped EICAR just 
fine, so there's gotta be something up with yours. :-)

You stated in your original mail that scanning zipped archives works 
fine from the commandline works fine, so it can't be an issue with 
clamav not being built against libz and libbz2.

Maybe you should check to see if MIME::Tools is actually parsing your 
test message properly?

touch /var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS
Send test message with zipped EICAR
rm /var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS

You should have one or more (if it's a production server) mdefang-* 
directories in /var/spool/MIMEDefang.  Each should have a Work/ 
subdirectory with decoded message parts, including your zipfile 
attachment.  If you can run clamdscan there and detect the virus, 
there's no reason it shouldn't detect it as it passes through.

----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.



More information about the MIMEDefang mailing list