For some reason, my system is allowing Worm.Bagle.F-zippwd files through,
but can detect them once they've arrived. I haven't had a single capture
of one of these passworded files.
Example:
> clamscan -V
clamscan / ClamAV version 0.67-1
> clamscan passworded.sample
passworded.sample: Worm.Bagle.F-zippwd FOUND
----------- SCAN SUMMARY -----------
Known viruses: 20355
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
I/O buffer size: 131072 bytes
Time: 0.425 sec (0 m 0 s)
> clamscan --mbox passworded.sample
passworded.sample: Worm.Bagle.F-zippwd FOUND
----------- SCAN SUMMARY -----------
Known viruses: 20355
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.04 MB
I/O buffer size: 131072 bytes
Time: 0.452 sec (0 m 0 s)
"passworded.sample" is an mbox file with only the offending message in it.
If I forward the message to myself, it gets through, and, of course, it
got through in the first place.
Even as I type this, it's picking up new incoming viruses, so it doesn't
seem to be a database issue.
The only weak link I can think of is that I'm using amavis-perl11 ("if it
ain't broke..."), and I suspect not many others are. He's the clam
invocation in the amavis perl script:
---
my $clamscan = "/usr/local/bin/clamscan";
...
#
# Clam AV
#
if ($clamscan ne "") {
# --one-virus is only for esthetic reasons.
$output = `$clamscan --stdout -r -w --one-virus $TEMPDIR/parts`;
$errval = ($? >> 8);
do_log(2,$output);
if ($errval != 0) {
if ($errval == 1) {
@virusname = ($output =~ /.*: (.+) FOUND/g);
do_virus($output);
} else {
do_log(0,"Virus scanner failure: $clamscan (error
code: $errval)");
}
}
}
---
I assume this only makes sense if you're reasonably familiar with
amavis-perl11.
Traffic is light enough that I don't need any daemons running for mail, so
I've never seen a need to update before this. It might be easier to set
up a new version of amavis, but this one IS set up and it (usually) works,
and messing with sendmail is the sort of voodoo I like to avoid if
possible.
At any rate, does this make any sense?
How can a manual clamscan succeed while the automatic one fails?
Is this possibly a question for the amavis mailing list, or do you think
something else is going on?
Jeffrey Moskot
System Administrator
[EMAIL PROTECTED]
-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Clamav-users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/clamav-users
