Re: [AMaViS-user] feature request: don't virus scan decoded parts when full message is scanned

Sun, 25 Apr 2010 05:44:53 -0700 

On 4/24/10 4:05 PM, Noel Jones wrote:
> On 4/24/2010 1:29 PM, Stefan Foerster wrote:
>    
>> * Michael Scheidell<[email protected]>:
>>      
>>> On 4/22/10 5:03 PM, Noel Jones wrote:
>>>        
>>>> With clamav (and likely other virus scanners), it's necessary
>>>> for the scanner to see the whole message for some signatures
>>>> to match.  Normally one would just set $bypass_decode_parts =
>>>> 1 for this.
>>>>
>>>>          
>>> actually, there is a way to do this.
>>>
>>> I use  this, don't remember what else I did, but all the 'sanesecurity'
>>> tests pass. and banned attachment blocking, bouncekiller, all work.
>>>
>>>
>>> $bypass_decode_parts = 0;
>>> and change av scanners to this: (gets the whole email)
>>> @av_scanners = (
>>> ['ClamAV-clamd',
>>>      \&ask_daemon, ["CONTSCAN {}/../email.txt\n", "/var/run/clamav/clamd"],
>>>      qr/\bOK$/, qr/\bFOUND$/,
>>>      qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
>>> );
>>>        
>> So, "{}" expands to the temporary directory, not a specific file?
>>      
> In this context, "{}" expands the directory where all the
> decoded parts from a message are placed.  As you can see in
> your own amavisd.conf, the default is "CONTSCAN {}\n" which
> basically tells clam to "scan everything here".   Michael's
> trick is to point clam specifically at the original email only.
>
>    
I can't take credit.  if you google list archives, you will see Mark 
himself came up with that trick a while back.


-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  

------------------------------------------------------------------------------
_______________________________________________
AMaViS-user mailing list
[email protected] 
https://lists.sourceforge.net/lists/listinfo/amavis-user 
 AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 
 AMaViS-HowTos:http://www.amavis.org/howto/

Reply via email to