Andy,
Ahah. We are debugging an install at this very moment which is exhibiting
that issue. You're posts were of immense value. Oddly, my install of
Declude on Imail dose not create those directories. But I was not testing
under Wind 2003. We will work to correct the issue quickly.
Thanks.
Andrew Wallo
----- Original Message -----
From: "Andy Schmidt" <andy_schm...@hm-software.com>
To: "Message Sniffer Community" <sniffer@sortmonster.com>
Sent: Tuesday, February 03, 2009 5:42 PM
Subject: [sniffer] Re: Announcing ClamAID - Clam AV installer for windows.
1. >> We haven't detected a trailing backslash issue with clamdscan.exe
being
called from Declude. <<
My Declude creates a temporary folder
C:\imail\spool\proc\work\Dxxxxxxxxxxxxxx.vir\
where it "unravels" the nested MIME attachments that belong to a single
mail
as individual files and then it attempts to scan the entire temporary
folder
content by launching:
CLAMDSCAN.EXE -v --no-summary -l report.txt
C:\imail\spool\proc\work\Dxxxxxxxxxxxxxx.vir\
The problem is that the W32.ClamAV.net build will return "No such file or
directory" (under Windows 2003) if you pass a trailing slash. It WOULD
work
and scan the entire folder ONLY if the trailing backslash is omitted.
I'm curious - in your system, what happens when you do:
ClamDScan c:\windows\
vs.
ClamDScan c:\windows
2. Your page http://www.armresearch.com/tools/arm/clamAID.jsp states:
"Navigate to the <mail-application>\declude\ directory under Imail or
Smartermail. Find the virus.cfg file. The file should now have an entry:
#CLAMAV_CLAMAID
SCANFILE D:\PROGRA~1\ClamAV\CLAMDS~1.EXE -v
--config-file="D:\PROGRA~1\ClamAV\conf\clamd.conf" --no-summary -l
D:\PROGRA~1\ClamAV\log\report.txt
VIRUSCODE 1"
If this is true, then on a busy server, multiple concurrent ClamAV
processes
would be attempting to write into the SAME "report.txt" file in the CLAMAV
program files folder - causing concurrency problems or "locked file"
problems. The best approach would be to leave out the path information and
let ClamAV create a unique Report.txt file in the distinct temporary
folder
that is created for each message!
I have read about this in some reports, and I've used the Declude
recommended call for calling Clam... I'd like more information if you have
<<
The ClamAV report file will have the following format:
--------------------------------------
C:\Maintenance\Eicar.com: Eicar-Test-Signature FOUND
Declude will parse that Report.txt file and NOT expect to see the "---"
divider line AND will look for the word "FOUND" and expect the virus name
AFTER the search token "FOUND".
Consequently the parsing will fail. Declude WILL recognize the error level
and know that the email was infected, but neither the Declude log NOR the
virus notification emails will report a sensible virus name.
So the correct view of what is happening should be being logged on the
ClamAV side, if not fully transparent through Declude. <<
The virus notification emails are wrong and those of us who generate
anti-virus reports by scanning the declude virus logfiles will get
nonsense
reporting.
if you have it on your specific solution of the name-dissconnect <<
Well, it's fairly simply. The script I had sent in my post two days ago
does
the following:
a) trim the trailing backslash from the path if any is found
b) read and parse the ClamAV report.txt file and outputs a new Report.txt
file that uses a format that's parsable by Declude.
Best Regards,
Andy Schmidt
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
#############################################################
This message is sent to you because you are subscribed to
the mailing list <sniffer@sortmonster.com>.
To unsubscribe, E-mail to: <sniffer-...@sortmonster.com>
To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com>
To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com>
Send administrative queries to <sniffer-requ...@sortmonster.com>
