On 4/24/2010 1:29 PM, Stefan Foerster wrote:
> * Michael Scheidell<list-s...@secnap.com>:
>> On 4/22/10 5:03 PM, Noel Jones wrote:
>>> With clamav (and likely other virus scanners), it's necessary
>>> for the scanner to see the whole message for some signatures
>>> to match. Normally one would just set $bypass_decode_parts =
>>> 1 for this.
>>>
>> actually, there is a way to do this.
>>
>> I use this, don't remember what else I did, but all the 'sanesecurity'
>> tests pass. and banned attachment blocking, bouncekiller, all work.
>>
>>
>> $bypass_decode_parts = 0;
>> and change av scanners to this: (gets the whole email)
>> @av_scanners = (
>> ['ClamAV-clamd',
>> \&ask_daemon, ["CONTSCAN {}/../email.txt\n", "/var/run/clamav/clamd"],
>> qr/\bOK$/, qr/\bFOUND$/,
>> qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
>> );
>
> So, "{}" expands to the temporary directory, not a specific file?
In this context, "{}" expands the directory where all the
decoded parts from a message are placed. As you can see in
your own amavisd.conf, the default is "CONTSCAN {}\n" which
basically tells clam to "scan everything here". Michael's
trick is to point clam specifically at the original email only.
This should work (and in fact does work) just fine, but is not
an "obvious" solution. So I still think a config option or a
note in amavisd.config file is appropriate.
-- Noel Jones
------------------------------------------------------------------------------
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
