I'll try to be more specific. What I have in my virus.cfg file is essentially what has been posted here on the list by several different people as the accepted info to put in the file.
SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2 C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt VIRUSCODE1 1 REPORT1 FOUND So I should be able to type the following at a command prompt and have it work: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 123456789.eml It used to work, but now it doesn't. It generates the lstat error. After some experimentation, I found that typing the following does work: C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt C:\temp\123456789.eml and so does this: C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt C:\temp\123456789.eml In setting virus.cfg to DEBUG, it shows Declude creating the long pathname. But since it deletes the report.txt file, I can't see what is being generated. When I reprocess the new RAR file worm, the Declude log lines show ClamAV giving a return code of zero. When I do it from the command prompt, ClamAV says Email.Phishing.RB-686 FOUND. When I test another message that is an image spam that is picked up by the Sanesecurity phishing files, Declude finds it with ClamAV, and ClamAV finds it using the command prompt. So maybe this problem and the lstat error are unrelated. -------- Original Message -------- > From: "Andy Schmidt" <[EMAIL PROTECTED]> > Sent: Wednesday, April 25, 2007 8:33 PM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] ClamAV lstat() failed. ERROR > > Gary, > > I'm not sure I understand your point. > > What you define in Virus.cfg, e.g.: > > SCANFILE C:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD > D:\IMAIL\Declude\SCAN.CFG > > is only the START of the command line, to which Declude appends the full > path for the file it tries to scan. > > So, if you defined: > > SCANFILE C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > > and the Declude is processing the file c:\temp\123456789.eml then it would > issue the command > > c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > c:\temp\123456789.eml > > > I recommend you turn on the debug mode for Declude virus and then inspect > the relevant lines of the log (or send them to the list so that we can take > a look at it). Obviously, you'd also need to share your virus.cfg > configuration so that we understand the context. > > Best Regards, > Andy > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary > Steiner > Sent: Wednesday, April 25, 2007 6:39 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] ClamAV lstat() failed. ERROR > > In pursuing the problem of the new worm with a password-protected RAR file, > I found a problem with ClamAV. > > I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with > runclamd and runclamscan). > > Declude uses the following string: > C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt > > If I try to use it at a command prompt, I get the lstat() failed error. If I > type in the full path for my command string, such as > C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt > C:\temp\123456789.eml > > it works. The problem is that Declude scans a file in a different directory > each time, so the path changes. So for Declude to work now, it would require > a significant change in Declude. > > But ClamAV worked before. What changed? Can it be changed back? Is this a > problem with ClamAV in general, or just with the SOSDG Windows port? Do the > other ClamAV ports have this problem? > > Any suggestions you might have are greatly appreciated. > > Gary Steiner > > > > > > > > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
