[Mimedefang] scanning archives w/ MIMEDefang 2.39 and clamav

cc cc at belfordhk.com
Thu Feb 19 03:51:33 EST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Recently there was a thread (re: "Problem scanning ZIP
archives with CLAMAV") that happened to be the same
problem I'm having.

I've done the following:

1) Added StreamSaveToDisk to clamav.conf.  (already have
    ScanArchive) in it.

    Note: Jonas Eckerman suggested that I tell clamd to
           unpack the zip files.  Isn't that covered with
          the ScanArchive option?

2) I followed Niels Lindquist's suggestion in creating the
    DO-NOT-DELETE-WORK-DIRS in the /var/spool/MIMEDefang
    directory.   Then after sending a virus-infected
    attachment (SomeFool), I went to the mdefang-*
    directories and did a clamdscan and a clamscan.
    Both found the virus even though it's archived.

3)  But doing all that, the sent email still goes through
    unchecked.  In the logs, it shows:

Feb 19 16:44:36 asphalt mimedefang.pl[2943]: MDLOG,i1J8iW7U003819,No
Virus.,,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]:
MDLOG,i1J8iW7U003819,Size:,127.0.0.1,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]: MDLOG,i1J8iW7U003819,No
Virus.,,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang.pl[2943]:
MDLOG,i1J8iW7U003819,Size:,127.0.0.1,,<root at asphalt.mydomain.com>,<cc at asphalt.mydomain.com>,testing
Feb 19 16:44:36 asphalt mimedefang[3821]: i1J8iW7U003819: Not cleaning
up /var/spool/MIMEDefang/mdefang-i1J8iW7U003819 because of
/var/spool/MIMEDefang/DO-NOT-DELETE-WORK-DIRS

Here's the list of files in /var/spool/MIMEDefang/mdefang-i1J8iW7U003819#

  345 Feb 19 16:44 COMMANDS
  491 Feb 19 16:44 HEADERS
30854 Feb 19 16:44 INPUTMSG
   50 Feb 19 16:44 RESULTS
 4096 Feb 19 16:44 Work/

Then in Work:

    4 Feb 19 16:44 msg-2943-24.txt
22140 Feb 19 16:44 msg-2943-25.zip

Doing a clamdscan:
/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-25.zip:
Worm.SomeFool FOUND

- ----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.019 sec (0 m 0 s)


Doing a clamscan:

/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-24.txt: OK
/var/spool/MIMEDefang/mdefang-i1J8iW7U003819/Work/msg-2943-25.zip:
Worm.SomeFool FOUND

- ----------- SCAN SUMMARY -----------
Known viruses: 20742
Scanned directories: 1
Scanned files: 2
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.847 sec (0 m 0 s)

So clearly, both clamdscan and clamscan works.


I have both *_virus_clamd($e) and *_virus_clamav($e) in
the mimedefang-filter file.

The concern I have is that I might have edited my mimedefang-filter
file to the point of actually breaking it.  So I copied a
new one in place of the old one and redid the scan.  Same
thing.

The remaining issue is after fiddling/restarting mimedefang, do I need
to re-init the clamd daemon before I do anything else?

Any help appreciated.

edmund






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFANHkUW/g4AbYsjJoRApqTAKDG92HCSR0YZOaa3kHfv2HNrOv6tQCdHzQC
5gZFzMOey6O+cGKq08y4VZE=
=Nl4A
-----END PGP SIGNATURE-----



More information about the MIMEDefang mailing list