On Wed, 13 Nov 2002, Odhiambo Washington <[EMAIL PROTECTED]> wrote
>Hello Users,
>
>My question could seem a little bit vague, but I have a situation where
>I am to blam or clamav (clamd) is to blame.
>
>I use clamav (exiscan+clamd) on my Exim Server. I use the same kind of setup
>on two MXes. On the primary MX, I also run Exim's system filters. The use
>of exiscan+clamd is meant to stop the virus at the doorstep (at SMTP time).
>The setup scans mail that are not local (only mail arriving by {e}smtp) and
>I know this is dumb because worms can get generated even by local users. I
>am going to change this.
>
>However my point is that there are several hundreds of mail (well, both
>locally generated and also smtp) that still go past the scanner. The e-mails
>are only trapped by the system filter, which I've configured to NOT allow
>any executables to pass unless an sender address is explicitly exempted.
>
>For the days I've run clamav, I've always had a look at these mail caught by
>the system filter by scanning them manually using clamscan, and they always
>turn out to contain viruses/worms that clamscan reveals so easily.
>It looks like you've answered your own question. If ClamAV can find them at this point then the fault does not seem to lie with ClamAV. Whatever automated process you are using to scan incoming mail, it is either not presenting the mail to ClamAV, not doing so in a format that ClamAV can cope with, not correctly interpreting ClamAV's response, not acting on that response as you would like or exhibiting some other problem that I've missed (don't you just love caveats?!). I'm not familiar with Exim or Exiscan so I can't really be more help than that. I use Postfix and Amavisd with Clamd and seem to trap pretty much all the malware that comes my way. But I rely on Amavisd to deconstruct MIME messages, decode UUEncode and uncompress archives, not Clamd. I have no doubt that something will get through one day, but that is to be expected. No AV software is infallible. And the limited resources at the disposal of open source AV developers is very likely to mean that new virus definitions are not made available as quickly as they are for commercial products. The one virus that did get through my system was Bugbear, the day it was discovered. Norton trapped it on my Windoze desktop and ClamAV definitions were available for it the next day, which is pretty damn good considering how much I don't pay Tomasz :) -- Chris Hastie --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
