Michael, > I finally caved and decided to install the SaneSecurity signatures for > ClamAV on my incoming mail host. However, I can't get the second > signature test[1] to pass. I was hoping somebody here could point me in > the right direction. > > I have already installed the SaneSecurity signatures. Mail comes in > through Postfix, and is filtered through amavisd-new (v2.6.3), which > then feeds the message through ClamAV (v0.95.1). It appears as if the > signatures are installed correctly, because Test #3 on [1] passes. > Everything else works as expected. > > According to the SaneSecurity docs, Amavis needs to pass the entire > message body, unmodified, to ClamAV. This is accomplished via > > $bypass_decode_parts = 1; > > which is set, and not re-defined further down in amavisd.conf.
Yes, that should suffice. Alternatively, when $bypass_decode_parts is left at false, it is still possible to let a full original mail message reach a virus scanner by adding a match on 'MAIL' into @keep_decoded_original_maps, e.g.: @keep_decoded_original_maps = (new_RE( qr'^MAIL$', # retain full original message for virus checking qr'^MAIL-UNDECIPHERABLE$', # contains undecipherables qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i, )); > It appears to work: > [amavis] (17916-02) presenting full original message to scanners as > /var/amavis/tmp/amavis-20090624T145243-17916/parts/p001 That should do. > However, ClamAV doesn't catch the subject header, which contains the > string from Test #2: > > [amavis] (17916-02) ClamAV-clamd: Sending CONTSCAN > /var/amavis/tmp/amavis-20090624T145243-17916/parts\n to UNIX socket > /var/run/clamav/clamd.sock > > [amavis] (17916-02) ask_av (ClamAV-clamd) result: > /var/amavis/tmp/amavis-20090624T145243-17916/parts: OK\n > > Now, at this point, I figured the message must have been mangled, or > that I was pasting the signature incorrectly. But, since I receive the > test message in my inbox, I was able to copy both the source and the > final messages to the mail host in question. Running clamdscan directly > *does* find the signature. See what ended up in the .../parts directory by turning on per-recipient debugging, e.g.: @debug_sender_maps = ( ['yours...@example.com'] ); Apart from turning on full logging for a message to the specified recipient address, it will also retain the contents of a temporary directory, so you will be able to check what exactly is there. The directory location will be logged, e.g.: PRESERVING EVIDENCE in /var/amavis/amavis-20090624T233048-45480 Mark ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
