On Fri, 22 Aug 2003 at 11:18:00 -0600, Keith Pettit wrote: > > I just setup clamd and it seems to be scanning ok, it picked up the test > virus, but I can't get it to detect SoBig. I have a couple of files in > my INBOX I know have SoBIG but it dosen't seem to be detecting them. > > Here is what i"m doing. > > -freshclam (to make sure i have the latest) > -check to make sure /etc/clamav.conf is pointing to /usr/local/share/clamav > -I killed all clamd process and restarted clamd -c /etc/clamav.conf > -Manuall scan Maildir "clamdscan /home/user/Maildir" > > and I get "Infected Files: 0" > > I've tried running it on the exact file I know is infected with the same > results. Am I doing something wrong?? > > I want to be able to run a manual scan then when it starts working I'll > use a wrapper for Maildrop. My mail server is Courier with Maildrop if > that makes an difference, which uses Maildir mail format. > > Any suggestions would be appreciated.
Clamscan does not support messages in Maildir format (yet). It's being developed to do it but the current version isn't detecting viruses in Maildir messages. Note that it does _not_ mean that you can't scan *incoming* mail with clamd. You can, because MIME processing, decoding and so on is made by another utility which serves as the interface between the MTA and the AV program (Amavisd-new, Mailscanner etc.). If you want to make sure that your Clamav really knows and detects Sobig.F (or other viruses), you can extract infected attachment from a message by other means (with mutt or other MUA). Or manually with a text editor. Or do a simple trick to make the message seen as usual Mailbox-type (not Maildir) message. All you've got to do is insert at the very beginning of the message one line which simulates Mailbox format, sth. like: >From [EMAIL PROTECTED] Fri Aug 22 19:21:16 2003 Warning: probably the above line will be "escaped" by mail software by putting > in front of "From ". The line that you should insert must start with "From " (minus "" signs). If you need more information with this topic, drop me a note. PS. Be sure not to do "top-posting". And remove previous marketing signatures of Sourceforge from the message when replying. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only [EMAIL PROTECTED] http://www.lodz.tpsa.pl/ | ones and zeros. ------------------------------------------------------- This SF.net email is sponsored by: VM Ware With VMware you can run multiple operating systems on a single machine. WITHOUT REBOOTING! Mix Linux / Windows / Novell virtual machines at the same time. Free trial click here:http://www.vmware.com/wl/offer/358/0 _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
