[Mimedefang] scanning archives w/ MIMEDefang 2.39 and clamav
cc
cc at belfordhk.com
Thu Feb 19 03:51:33 EST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
Recently there was a thread (re: "Problem scanning ZIP
archives with CLAMAV") that happened to be the same
problem I'm having.
I've done the following:
1) Added StreamSaveToDisk to clamav.conf. (already have
ScanArchive) in it.
Note: Jonas Eckerman suggested that I tell clamd to
unpack the zip files. Isn't that covered with
the ScanArchive option?
2) I followed Niels Lindquist's suggestion in creating the
DO-NOT-DELETE-WORK-DIRS in the /var/spool/MIMEDefang
directory. Then after sending a virus-infected
attachment (SomeFool), I went to the mdefang-*
directories and did a clamdscan and a clamscan.
Both found the virus even though it's archived.
3) But doing all that, the sent email still goes through
unchecked. In the logs, it shows:
Feb 19 16:44:36 asphalt mimedefang.pl[2943]: MDLOG,i1J8iW7U003819,No
Virus.,,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]:
MDLOG,i1J8iW7U003819,Size:,127.0.0.1,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]: MDLOG,i1J8iW7U003819,No
Virus.,,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]:
MDLOG,i1J8iW7U003819,Size:,127.0.0.1,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang[3821]: i1J8iW7U003819: Not cleaning
up /var/spool/MIMEDefang/mdefang-i1J8iW7U003819 because of
/var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS
Here's the list of files in /var/spool/MIMEDefang/mdefang-i1J8iW7U003819#
345 Feb 19 16:44 COMMANDS
491 Feb 19 16:44 HEADERS
30854 Feb 19 16:44 INPUTMSG
50 Feb 19 16:44 RESULTS
4096 Feb 19 16:44 Work/
Then in Work:
4 Feb 19 16:44 msg-2943-24.txt
22140 Feb 19 16:44 msg-2943-25.zip
Doing a clamdscan:
/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-25.zip:
Worm.SomeFool FOUND
- ----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.019 sec (0 m 0 s)
Doing a clamscan:
/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-24.txt: OK
/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-25.zip:
Worm.SomeFool FOUND
- ----------- SCAN SUMMARY -----------
Known viruses: 20742
Scanned directories: 1
Scanned files: 2
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.847 sec (0 m 0 s)
So clearly, both clamdscan and clamscan works.
I have both *_virus_clamd($e) and *_virus_clamav($e) in
the mimedefang-filter file.
The concern I have is that I might have edited my mimedefang-filter
file to the point of actually breaking it. So I copied a
new one in place of the old one and redid the scan. Same
thing.
The remaining issue is after fiddling/restarting mimedefang, do I need
to re-init the clamd daemon before I do anything else?
Any help appreciated.
edmund
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFANHkUW/g4AbYsjJoRApqTAKDG92HCSR0YZOaa3kHfv2HNrOv6tQCdHzQC
5gZFzMOey6O+cGKq08y4VZE=
=Nl4A
-----END PGP SIGNATURE-----
More information about the MIMEDefang
mailing list