I'll try to be more specific.
What I have in my virus.cfg file is essentially what has been posted here on
the list by several different people as the accepted info to put in the file.
SCANFILE1 C:\clamav-devel\thirdparty\runclamscan\runclamscan.exe log=2
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
VIRUSCODE1 1
REPORT1 FOUND
So I should be able to type the following at a command prompt and have it work:
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt 123456789.eml
It used to work, but now it doesn't. It generates the lstat error. After some
experimentation, I found that typing the following does work:
C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt
C:\temp\123456789.eml
and so does this:
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt C:\temp\123456789.eml
In setting virus.cfg to DEBUG, it shows Declude creating the long pathname.
But since it deletes the report.txt file, I can't see what is being generated.
When I reprocess the new RAR file worm, the Declude log lines show ClamAV
giving a return code of zero. When I do it from the command prompt, ClamAV
says Email.Phishing.RB-686 FOUND.
When I test another message that is an image spam that is picked up by the
Sanesecurity phishing files, Declude finds it with ClamAV, and ClamAV finds it
using the command prompt.
So maybe this problem and the lstat error are unrelated.
Original Message
From: Andy Schmidt [EMAIL PROTECTED]
Sent: Wednesday, April 25, 2007 8:33 PM
To: declude.virus@declude.com
Subject: RE: [Declude.Virus] ClamAV lstat() failed. ERROR
Gary,
I'm not sure I understand your point.
What you define in Virus.cfg, e.g.:
SCANFILEC:\Progra~1\Common~1\Networ~1\Engine\SCAN.EXE /LOAD
D:\IMAIL\Declude\SCAN.CFG
is only the START of the command line, to which Declude appends the full
path for the file it tries to scan.
So, if you defined:
SCANFILEC:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
and the Declude is processing the file c:\temp\123456789.eml then it would
issue the command
c:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
c:\temp\123456789.eml
I recommend you turn on the debug mode for Declude virus and then inspect
the relevant lines of the log (or send them to the list so that we can take
a look at it). Obviously, you'd also need to share your virus.cfg
configuration so that we understand the context.
Best Regards,
Andy
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary
Steiner
Sent: Wednesday, April 25, 2007 6:39 PM
To: declude.virus@declude.com
Subject: [Declude.Virus] ClamAV lstat() failed. ERROR
In pursuing the problem of the new worm with a password-protected RAR file,
I found a problem with ClamAV.
I'm running the SOSDG ClamAV Windows port version 0.90.2-2 (along with
runclamd and runclamscan).
Declude uses the following string:
C:\clamav-devel\bin\clamdscan.exe --quiet -l report.txt
If I try to use it at a command prompt, I get the lstat() failed error. If I
type in the full path for my command string, such as
C:\clamav-devel\bin\clamdscan.exe --quiet -l C:\temp\report.txt
C:\temp\123456789.eml
it works. The problem is that Declude scans a file in a different directory
each time, so the path changes. So for Declude to work now, it would require
a significant change in Declude.
But ClamAV worked before. What changed? Can it be changed back? Is this a
problem with ClamAV in general, or just with the SOSDG Windows port? Do the
other ClamAV ports have this problem?
Any suggestions you might have are greatly appreciated.
Gary Steiner
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be found
at http://www.mail-archive.com.
