[Mimedefang] ClamAV not detecting all viruses
Stewart James
stewart.james at vu.edu.au
Sun Jul 4 20:22:59 EDT 2004
Bugger. Upgraded ClamAV this morning and still having the same issues.
I have dug a little deeper. (ClamAV: 0.73 and MD: 2.41)
I have a small patch (sent back to MD) that logs which scanner found the
virus so I could do some stats about it at some stage. I see log lines
like:
Jul 5 10:00:26 lime mimedefang.pl[7204]: MDLOG,i650048S013874,scanner,
TREND-HTML_Netsky.P,TREND,<EMAIL1>,<EMAIL2>,Mail Delivery (failure
EMAIL2)
Great except that clamAV is ran first. This morning I thought I better
look at the clamav-daemon log file. Fortunately MD uses the msgid in the
directory name, so I would search for i650048S013874. And ClamAV had
detected the virus (I checked a handful to be sure) so in the clamAV
logs I can find a corresponding line:
Mon Jul 5 10:00:26 2004 -> /var/spool/MIMEDefang/mdefang-650048S013874/
Work/INPUTMSG: Worm.SomeFool.P FOUND
So now my head hurts (brick wall and all). My relevant filter and
filter_begin portions are below. However, revewing them I think I have
perhaps spotted a issue. I scan with message_containts_virus in
filter_begin and then with entity_contains_virus in filter. I am
wondering if this is the real cause of my grief (plus now I scan
everything more than needed).
Does anyone have any thoughts on it? (In the mean time I will try
altering my -filter)
Stewart
This is in sub filter_begin():
my($code, $category, $action) = message_contains_virus();
This is near the top of sub filter($$$$):
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = "";
($code, $category, $action) = entity_contains_virus($entity);
# If you are more paranoid, change to: if ($action eq
"quarantine") {
if ($category eq "virus") {
md_graphdefang_log('virus',$VirusName, $RelayAddr);
md_graphdefang_log('scanner',"$VirusScanner-$VirusName",
$VirusScanner);
# Bounce the mail!
action_bounce("Virus $VirusName found in mail - rejected");
# But quarantine the part for examination later. Comment
# the next line out if you don't want to bother.
if ($VirusScanner eq "TREND") {
action_quarantine_entire_message("Trend found a
virus");
}
#action_quarantine($entity, "A known virus was discovered
and deleted. Virus-scanner messages follow:\n$VirusScannerMessages\n
\n");
return;
}
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner: code=
$code, category=$category, action=$action");
}
}
On Wed, 2004-06-30 at 13:33 +1000, Stewart James wrote:
> > Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72
> > because of a Proxy issue, so I can't confirm if it actually did get
> > fixed there.
>
> Well it's a 3 day wait (OK a couple more becuase that falls on a weekend
> here). I will see if 0.73 resolves it for me, if not, I can start
> looking at "why not" of it all.
>
> I will let the list know the outcome :)
>
> Cheers,
>
> Stewart
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list