[Mimedefang] Problem scanning ZIP archives with CLAMAV
Nels Lindquist
nlindq at maei.ca
Mon Feb 16 13:31:19 EST 2004
On 15 Feb 2004 at 11:57, Alain DESEINE wrote:
> At 15:04 13/02/2004 -0700, you wrote:
> >
> >Are you using *_contains_virus_clamd() or *_contains_virus_clamav()
> >functions?
>
> I use both.
What does that gain you? You're not increasing your likelihood of
detection by running it through the same AV engine twice; you're just
adding significant load by using the non-daemonised scanner.
> >The daemonized scanner requires a local socket accessible to the
> >defang user, which your configuration doesn't include. Also note
> >that there was a bug in clamav 0.65 causing intermittent hangs; I'd
> >suggest upgrading to 0.66.
>
> I'm not sure you're right, because when i receive a mail with a virus
> attached (EICAR.COM for example) the virus is well found. The problem is
> only when the virus is contained in a zip file.
Well, my installation of MIMEDefang + clamd detects zipped EICAR just
fine, so there's gotta be something up with yours. :-)
You stated in your original mail that scanning zipped archives works
fine from the commandline works fine, so it can't be an issue with
clamav not being built against libz and libbz2.
Maybe you should check to see if MIME::Tools is actually parsing your
test message properly?
touch /var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS
Send test message with zipped EICAR
rm /var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS
You should have one or more (if it's a production server) mdefang-*
directories in /var/spool/MIMEDefang. Each should have a Work/
subdirectory with decoded message parts, including your zipfile
attachment. If you can run clamdscan there and detect the virus,
there's no reason it shouldn't detect it as it passes through.
----
Nels Lindquist <*>
Information Systems Manager
Morningstar Air Express Inc.
More information about the MIMEDefang
mailing list