I finally caved and decided to install the SaneSecurity signatures for ClamAV on my incoming mail host. However, I can't get the second signature test[1] to pass. I was hoping somebody here could point me in the right direction.
I have already installed the SaneSecurity signatures. Mail comes in through Postfix, and is filtered through amavisd-new (v2.6.3), which then feeds the message through ClamAV (v0.95.1). It appears as if the signatures are installed correctly, because Test #3 on [1] passes. Everything else works as expected. According to the SaneSecurity docs, Amavis needs to pass the entire message body, unmodified, to ClamAV. This is accomplished via $bypass_decode_parts = 1; which is set, and not re-defined further down in amavisd.conf. It appears to work: [amavis] (17916-02) presenting full original message to scanners as /var/amavis/tmp/amavis-20090624T145243-17916/parts/p001 However, ClamAV doesn't catch the subject header, which contains the string from Test #2: [amavis] (17916-02) ClamAV-clamd: Sending CONTSCAN /var/amavis/tmp/amavis-20090624T145243-17916/parts\n to UNIX socket /var/run/clamav/clamd.sock [amavis] (17916-02) ask_av (ClamAV-clamd) result: /var/amavis/tmp/amavis-20090624T145243-17916/parts: OK\n Now, at this point, I figured the message must have been mangled, or that I was pasting the signature incorrectly. But, since I receive the test message in my inbox, I was able to copy both the source and the final messages to the mail host in question. Running clamdscan directly *does* find the signature: # clamdscan test.msg /test.msg: Sanesecurity.TestSig_Type4_Hdr.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.013 sec (0 m 0 s) So, my conclusion is that.. something is wonky, but I'm not sure where. Anyone have an idea? [1] http://www.sanesecurity.co.uk/clamav/sigtests.htm ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
