Noel Jones wrote: > Michael Orlitzky wrote: >> I finally caved and decided to install the SaneSecurity signatures for >> ClamAV on my incoming mail host. However, I can't get the second >> signature test[1] to pass. I was hoping somebody here could point me in >> the right direction. >> >> I have already installed the SaneSecurity signatures. Mail comes in >> through Postfix, and is filtered through amavisd-new (v2.6.3), which >> then feeds the message through ClamAV (v0.95.1). It appears as if the >> signatures are installed correctly, because Test #3 on [1] passes. >> Everything else works as expected. >> >> According to the SaneSecurity docs, Amavis needs to pass the entire >> message body, unmodified, to ClamAV. This is accomplished via >> >> $bypass_decode_parts = 1; >> >> which is set, and not re-defined further down in amavisd.conf. It >> appears to work: >> >> [amavis] (17916-02) presenting full original message to scanners as >> /var/amavis/tmp/amavis-20090624T145243-17916/parts/p001 >> >> However, ClamAV doesn't catch the subject header, which contains the >> string from Test #2: >> >> [amavis] (17916-02) ClamAV-clamd: Sending CONTSCAN >> /var/amavis/tmp/amavis-20090624T145243-17916/parts\n to UNIX socket >> /var/run/clamav/clamd.sock >> >> [amavis] (17916-02) ask_av (ClamAV-clamd) result: >> /var/amavis/tmp/amavis-20090624T145243-17916/parts: OK\n >> >> Now, at this point, I figured the message must have been mangled, or >> that I was pasting the signature incorrectly. But, since I receive the >> test message in my inbox, I was able to copy both the source and the >> final messages to the mail host in question. Running clamdscan directly >> *does* find the signature: >> >> # clamdscan test.msg >> /test.msg: Sanesecurity.TestSig_Type4_Hdr.UNOFFICIAL FOUND >> >> ----------- SCAN SUMMARY ----------- >> Infected files: 1 >> Time: 0.013 sec (0 m 0 s) >> >> So, my conclusion is that.. something is wonky, but I'm not sure where. >> Anyone have an idea? >> > > Try copying the sanesecurity.ftm to your clamav database > directory. Your update script might have settings to do this > for you. > > -- Noel Jones
Already done, unless I'm mistaken regarding the ClamAV database directory? I'm relatively confident that this is the correct directory for signature databases, since the Sane Sigs do pass Test #3 (and direct scanning works via clamdscan). # ls -lh /var/lib/clamav/ total 63M -rw-r--r-- 1 clamav clamav 178K Jun 18 11:50 MSRBL-Images.hdb -rw-r--r-- 1 clamav clamav 238K May 21 13:01 MSRBL-SPAM.ndb drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 add-dbs drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 configs -rw-r--r-- 1 clamav clamav 1.9M Jun 24 12:32 daily.cld drwxr-xr-x 2 clamav clamav 4.0K May 3 2008 daily.inc drwx------ 2 clamav clamav 4.0K Jun 22 15:06 gpg-key -rw-r--r-- 1 clamav clamav 43K Jun 22 15:06 honeynet.hdb -rw-r--r-- 1 clamav clamav 2.5M Jun 22 14:45 junk.ndb -rw-r--r-- 1 clamav clamav 285K Jun 22 14:43 jurlbl.ndb -rw-r--r-- 1 clamav clamav 45M May 21 01:41 main.cld drwxr-xr-x 2 clamav clamav 4.0K May 3 2008 main.inc drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 mbl-dbs -rw-r--r-- 1 clamav clamav 101K Jun 22 15:06 mbl.ndb -rw-r--r-- 1 clamav clamav 1.8K Jun 24 16:32 mirrors.dat drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 msrbl-dbs -rw-r--r-- 1 clamav clamav 1.9M Jun 22 14:35 phish.ndb -rw-r--r-- 1 clamav clamav 39K Jun 16 16:01 rogue.hdb -rw-r--r-- 1 clamav clamav 862 Mar 20 14:46 sanesecurity.ftm -rw-r--r-- 1 clamav clamav 1.6M Jun 22 11:31 scam.ndb -rw-r--r-- 1 clamav clamav 8.4M Jun 22 15:06 securiteinfo.hdb drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 si-dbs -rw-r--r-- 1 clamav clamav 22K Jun 21 14:28 spamimg.hdb drwxr-xr-x 2 clamav clamav 4.0K Jun 22 15:06 ss-dbs -rw-r--r-- 1 clamav clamav 760K Jun 22 15:06 vx.hdb -rw-r--r-- 1 clamav clamav 57K Jun 22 14:36 winnow_malware.hdb -rw-r--r-- 1 clamav clamav 117K Jun 22 14:36 winnow_malware_links.ndb ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
