[Mimedefang] ClamAV not detecting all viruses

Stewart James stewart.james at vu.edu.au
Sun Jul 4 20:22:59 EDT 2004 

Bugger. Upgraded ClamAV this morning and still having the same issues.

I have dug a little deeper. (ClamAV: 0.73 and MD: 2.41)

I have a small patch (sent back to MD) that logs which scanner found the
virus so I could do some stats about it at some stage. I see log lines
like:

Jul  5 10:00:26 lime mimedefang.pl[7204]: MDLOG,i650048S013874,scanner,
TREND-HTML_Netsky.P,TREND,<EMAIL1>,<EMAIL2>,Mail Delivery (failure
EMAIL2)

Great except that clamAV is ran first. This morning I thought I better
look at the clamav-daemon log file. Fortunately MD uses the msgid in the
directory name, so I would search for i650048S013874. And ClamAV had
detected the virus (I checked a handful to be sure) so in the clamAV
logs I can find a corresponding line:

Mon Jul  5 10:00:26 2004 -> /var/spool/MIMEDefang/mdefang-650048S013874/
Work/INPUTMSG: Worm.SomeFool.P FOUND

So now my head hurts (brick wall and all). My relevant filter and
filter_begin portions are below. However, revewing them I think I have
perhaps spotted a issue. I scan with message_containts_virus in
filter_begin and then with entity_contains_virus in filter. I am
wondering if this is the real cause of my grief (plus now I scan
everything more than needed).

Does anyone have any thoughts on it? (In the mean time I will try
altering my -filter)

Stewart


This is in sub filter_begin():

my($code, $category, $action) = message_contains_virus();


This is near the top of sub filter($$$$):

    if ($FoundVirus) {
        my($code, $category, $action);
        $VirusScannerMessages = "";
        ($code, $category, $action) = entity_contains_virus($entity);
        # If you are more paranoid, change to: if ($action eq
"quarantine") {
        if ($category eq "virus") {
            md_graphdefang_log('virus',$VirusName, $RelayAddr);
            md_graphdefang_log('scanner',"$VirusScanner-$VirusName",
$VirusScanner);

            # Bounce the mail!
            action_bounce("Virus $VirusName found in mail - rejected");

            # But quarantine the part for examination later.  Comment
            # the next line out if you don't want to bother.
            if ($VirusScanner eq "TREND") {
                    action_quarantine_entire_message("Trend found a
virus");
            }
            #action_quarantine($entity, "A known virus was discovered
and deleted.  Virus-scanner messages follow:\n$VirusScannerMessages\n
\n");

            return;
        }
        if ($action eq "tempfail") {
            action_tempfail("Problem running virus-scanner");
            md_syslog('warning', "Problem running virus scanner: code=
$code, category=$category, action=$action");
        }
    }



On Wed, 2004-06-30 at 13:33 +1000, Stewart James wrote:
> > Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 
> > because of a Proxy issue, so I can't confirm if it actually did get 
> > fixed there.
> 
> Well it's a 3 day wait (OK a couple more becuase that falls on a weekend
> here). I will see if 0.73 resolves it for me, if not, I can start
> looking at "why not" of it all.
> 
> I will let the list know the outcome :)
> 
> Cheers,
> 
> Stewart
> 
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list