On Wed, Jun 15, 2011 at 02:30:54PM +0200, Ralf Hildebrandt wrote: > * Ralf Hildebrandt <[email protected]>: > > How can I safely handle the case of all virus scanners failing? > > > > In the release notes I'm seeing: > > > > - a failure of all virus scanners no longer automatically tempfails the > > operation, but flags a message with a CC_UNCHECKED contents category > > (just like a failure of decoders/dearchivers), and allows the usual > > controls (*_destiny, *_quarantine_*) to be used to configure behaviour; > > for example: > > > > $final_unchecked_destiny = D_TEMPFAIL; > > $unchecked_quarantine_method = 'local:unchecked/%m.gz'; > > > > I want to catch the case of a virus pattern update gone wrong -- right > > now all the mails pass unchecked, I'd rather tempfail them. On the > > other hand - what about encrypted mails which cannot be scanned > > anyway? How can I let those pass? > > Looking at the categories I see no way of distinguishing an encrypted > archive (which should be passed) from a generic "all scanners have > failed" error (which should cause a tempfail). > > ... > Jun 15 10:05:08 mail amavis[3999]: (03999-08) p003 1/2 Content-Type: > application/x-zip-compressed, size: 12791 B, name: 3618_error_log_20110615.zip > Jun 15 10:05:08 mail amavis[3999]: (03999-08) do_unzip: p003, 1 members are > encrypted, none extracted, archive retained > Jun 15 10:05:09 mail amavis[3999]: (03999-08) FWD from <[email protected]> > -> <[email protected]>,BODY=7BIT 250 2.0.0 from > MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as 3QvL455jGWzFvq5 > Jun 15 10:05:09 mail amavis[3999]: (03999-08) Passed UNCHECKED > {RelayedInbound}, [217.16.101.214]:40793 [127.0.0.1] <[email protected]> > -> <[email protected]>, Message-ID: > <7fda82a7cd7eb24e81bf85c74caf8e0e4708a59...@exdkmbx022.corp.novocorp.net>,mail_id: > 60xc9rwqiz5V, Hits: -1.899, size: 26319, queued_as: 3QvL455jGWzFvq5, 905 ms > ... >
Given that ClamAV has some signatures for encrypted zip viruses, seems pointless trying to make such complex setup. Either your scanner works or it doesn't, you should put effort making sure of that.
