On 02/02/2017 11:17, Levente Birta wrote:
Hi
I use amavisd 2.10 and clamav 0.99 with sanesecurity.
in the amavisd.conf:
@virus_name_to_spam_score_maps =
(new_RE( # the order matters!
[ qr`^Structured\.(SSN|CreditCardNumber)\b` => 0.1 ],
[ qr`^(Heuristics\.)?Phishing\.` => 0.1 ],
[ qr`’^(Email|HTML)\.Phishing\.(?!.*Sanesecurity)` => 0.1 ],
[ qr`^Sanesecurity\.(Malware|Badmacro|Foxhole|Rogue|Trojan)\.`
=> undef ],# keep as infected
[ qr`^Sanesecurity\.` => 0.1 ],
[ qr`^Sanesecurity.TestSig_` => 0 ],
[ qr`^Email\.Spam\.Bounce(\.[^., ]*)*\.Sanesecurity\.` => 0 ],
[ qr`^BofhlandMW\.` => undef
],# keep as infected
[ qr`^Bofhland\.Malware\.` => undef
],# keep as infected
[ qr`^Bofhland\.` => 0.1 ],
[ qr`^winnow.malware\.` => undef
],# keep as infected
[ qr`^winnow\_` => 0.1 ],
[ qr`^PhishTank\.Phishing\.` => 0.1 ],
[ qr`^Porcupine\.Malware\.` => undef
],# keep as infected
[ qr`^Porcupine\.` => 0.1 ],
[ qr`^Email\.Spammail\b` => 0.1 ],
[ qr`^Safebrowsing\.` => 0.1 ],
[ qr`^winnow\.(phish|spam)\.` => 0.1 ],
[ qr`^ScamNailer\.` => 0.1 ],
[ qr`SecuriteInfo\.com\.Spam\-720` => 1.5 ],
));
If the mail is detected as infected by clamav with one single infection
the above map is working.
Here is the log:
Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 4
Feb 2 10:00:51 wsrv clamd[18232]: Got new connection, FD 9
Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 5
Feb 2 10:00:51 wsrv clamd[18232]: fds_poll_recv: timeout after 5 seconds
Feb 2 10:00:51 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 9
Feb 2 10:00:51 wsrv clamd[18232]: got command CONTSCAN
/var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts (75,
7), argument:
/var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts
Feb 2 10:00:51 wsrv clamd[18232]: mode -> MODE_WAITREPLY
Feb 2 10:00:51 wsrv clamd[18232]: Breaking command loop, mode is no
longer MODE_COMMAND
Feb 2 10:00:51 wsrv clamd[18232]: Consumed entire command
Feb 2 10:00:51 wsrv clamd[18232]: Number of file descriptors polled: 1 fds
Feb 2 10:00:51 wsrv clamd[18232]: fds_poll_recv: timeout after 600 seconds
Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (single) crossed low
threshold -> signaling
Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
threshold -> signaling
Feb 2 10:00:51 wsrv clamd[18232]:
/var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts/p004:
SecuriteInfo.com.Spam-720.UNOFFICIAL(5906f52c03b1982c4aed88c3778801d4:36917)
FOUND
Feb 2 10:00:51 wsrv clamd[18232]:
/var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts/p001: OK
Feb 2 10:00:51 wsrv clamd[18232]: Finished scanthread
Feb 2 10:00:51 wsrv clamd[18232]: Scanthread: connection shut down (FD 9)
Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (single) crossed low
threshold -> signaling
Feb 2 10:00:51 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
threshold -> signaling
Feb 2 10:00:51 wsrv amavis/pickup[18468]: (18468-01) run_av
(ClamAV-clamd):
/var/spool/amavisd/tmp/amavis-20170202T100051-18468-zTSdo6K6/parts
INFECTED: SecuriteInfo.com.Spam-720.UNOFFICIAL
Feb 2 10:00:51 wsrv amavis/pickup[18468]: (18468-01) Turning AV
infection into a spam report: score=1.5,
AV:SecuriteInfo.com.Spam-720.UNOFFICIAL=1.5
But I have one mail with multiple infection like this:
Virus scanner output:
p004: Sanesecurity.Blurl.b4e48a.UNOFFICIAL FOUND
p002: Sanesecurity.Blurl.fcc3c3.UNOFFICIAL FOUND
and the log
Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 4
Feb 2 10:01:35 wsrv clamd[18232]: Got new connection, FD 9
Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 5
Feb 2 10:01:35 wsrv clamd[18232]: fds_poll_recv: timeout after 5 seconds
Feb 2 10:01:35 wsrv clamd[18232]: Received POLLIN|POLLHUP on fd 9
Feb 2 10:01:35 wsrv clamd[18232]: got command CONTSCAN
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts (75,
7), argument:
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts
Feb 2 10:01:35 wsrv clamd[18232]: mode -> MODE_WAITREPLY
Feb 2 10:01:35 wsrv clamd[18232]: Breaking command loop, mode is no
longer MODE_COMMAND
Feb 2 10:01:35 wsrv clamd[18232]: Consumed entire command
Feb 2 10:01:35 wsrv clamd[18232]: Number of file descriptors polled: 1 fds
Feb 2 10:01:35 wsrv clamd[18232]: fds_poll_recv: timeout after 600 seconds
Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (single) crossed low
threshold -> signaling
Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
threshold -> signaling
Feb 2 10:01:35 wsrv clamd[18232]:
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p004:
Sanesecurity.Blurl.b4e48a.UNOFFICIAL(f7555a23bbf9551c86212d6acd54ef8f:67128)
FOUND
Feb 2 10:01:35 wsrv clamd[18232]:
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p001: OK
Feb 2 10:01:35 wsrv clamd[18232]:
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts/p002:
Sanesecurity.Blurl.fcc3c3.UNOFFICIAL(644a611c09aa304f053d15a0cc8c3460:41020)
FOUND
Feb 2 10:01:35 wsrv clamd[18232]: Finished scanthread
Feb 2 10:01:35 wsrv clamd[18232]: Scanthread: connection shut down (FD 9)
Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (single) crossed low
threshold -> signaling
Feb 2 10:01:35 wsrv clamd[18232]: THRMGR: queue (bulk) crossed low
threshold -> signaling
Feb 2 10:01:35 wsrv amavis/pickup[18469]: (18469-01) run_av
(ClamAV-clamd):
/var/spool/amavisd/tmp/amavis-20170202T100135-18469-4Hmcgoej/parts
INFECTED:
Feb 2 10:01:35 wsrv amavis/pickup[18469]: (18469-01) virus_scan: (),
detected by 1 scanners: ClamAV-clamd
I see in the logs that the virus names apparently are not passed to
amavis and the @virus_name_to_spam_score_maps not work in this multiple
infection case
What I'm missing?
OK, the problem was in the amavisd.conf at the @av_scanners section:
don't know why, but missed the /m (Treat string as multiple lines) option
['ClamAV-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
qr/\bOK$/m, qr/\bFOUND$/m,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
--
Levi
