Your log looks to me like the settings simply aren't calling Clam to scan the message rather than clam missing the message.
I have ScanWL, ScanNP, ScanLocal, ScanCC and UseAvClamd enabled and you need to make sure that AvClamdPort is correct for your system. DoASSP_AFC is set to enabled but only set to do attachments. If you haven't got the main clam settings enabled, you'll need to make sure that ASSP_AFCSelect is set to one of the options that scans the whole message. 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> info: found message size announcement: 1.56 kByte 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> IP 209.85.214.176 matches whiteListedIPs - with 209.85.128.0/17 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> [SMTP Reply] 250 OK 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld [SMTP Reply] 250 Accepted 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld [SMTP Reply] 354 Enter message, ending with "." on a line by itself 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld Whitelisted sender address: sen...@gmail.com for recipient recipi...@domain.tld 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld DKIM-Signature found 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld info: domain gmail.com has published a DMARC record 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld ClamAV: scanned 1774 bytes in whitelisted message - FOUND Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774) 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)', total score for this message is now 50 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] [VIRUS] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld [spam found] (virus detected: 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)') [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> /usr/local/assp/store/quarantine/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJA--571715.eml; 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <sen...@gmail.com> to: recipi...@domain.tld [SMTP Error] 554 5.7.1 Mail appears infected with \[Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)\]. All the best, Colin Waring. -----Original Message----- From: K Post [mailto:nntp.p...@gmail.com] Sent: 15 March 2015 18:32 To: ASSP development mailing list Subject: Re: [Assp-test] ClamAV win32 Sane Colin- really, I'm just interested in the results of the 2nd test in your log. I managed to get the html email one to be trapped - apparently sending html mail from gmail is a bit different. From outlook it trapped it. The one where the spam string is in the subject however, doesn't seem to be caught though. It looks like one of our bombre is scoring the long subject. I don't now why that would stop a detection though. It does look like the ASSP_AFC is being called (it was enabled for this test). Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org Received-RWL: listed from list.dnswl.org; client-ip=209.85.220.177 Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org Message-Score: added -2 for 209.85.220.0 in griplist (0.14), total score for this message is now -42 Mar-15-15 14:27:37 msg44055-12284 [DKIM] 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org [scoring] DKIM signature failed - none - sender policy is: neutral - author policy is: neutral Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org Message-Score: added 10 (dkimValencePB) for DKIM none, total score for this message is now -32 Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org info: SenderBase - query using SenderBase Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org SenderBase -- used Senderbase -- country:US orgname:GOOGLE domain:google.com Mar-15-15 14:27:39 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org HMM is not available - hmmdb is still locked by a rebuild task Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org Bayesian Check [monitoring] - Prob: 1.00000 => spam Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org [Plugin] calling plugin ASSP_AFC Mar-15-15 14:27:40 msg44055-12284 [MessageOK] 209.85.220.177 <testexter...@ourgoogledomain.org> to: v...@testmail.ourcharity.org message ok [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> messages/okmail/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJA--73.txt I've got the sanesecurity.ftm database there, last modified 9/3/14 Thank you for your help! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
