On Thu, 22 Sep 2005 at 16:48:36 +0200, Tomasz Papszun wrote: > On Thu, 22 Sep 2005 at 11:53:55 +0200, Marco Berizzi wrote: [...] > > As you can see clamd is *working* and it is cacthing viruses. Only > > that stupid zip is slipping throught. Running clamdscan with eicar > > test file is fine as you can see in the follwing clamd.log file: > [...] > > Please send me that zipfile - in a zipfile protected with password > "virus".
I received the file from you. My clamscan and clamdscan - both - detect the malware in it: $ clamdscan /tmp/photo.zip /tmp/photo.zip: Trojan.W32.PWS.Prostor.A FOUND $ clamdscan -V ClamAV 0.87/1097/Wed Sep 21 20:56:51 2005 I don't know why yours doesn't. After a brief conparison of my and your clamd.conf I can't see any obvious error (although yours has less options set, it shouldn't be the problem because some more are enabled by default anyway). Just for the comparison, here you are my clamd.conf and yours. Only valid lines are shown thanks to 'grep -v "\#" /etc/clamav/clamd.conf|grep -v "^$"' (your clamd.conf was additionally corrected by removing words resulted from wrapping lines by your MUA). Mine: LocalSocket /var/run/clamav/clamd.ctl FixStaleSocket ScanArchive User amavis ReadTimeout 180 ArchiveMaxRecursion 5 ArchiveMaxFiles 1000 ArchiveMaxFileSize 20M ArchiveMaxCompressionRatio 400 FollowFileSymlinks MaxThreads 5 MaxConnectionQueueLength 15 LogFile /var/log/clamav/clamd.log LogTime LogFileMaxSize 0M PidFile /var/run/clamav/clamd.pid DatabaseDirectory /var/lib/clamav/ SelfCheck 3600 ScanOLE2 ScanPE DetectBrokenExecutables ScanHTML Yours: PidFile /var/run/ClamAV/clamd.pid LocalSocket /var/spool/MIMEDefang/clamd.sock FixStaleSocket MaxDirectoryRecursion 15 User defang ScanMail ScanArchive ArchiveMaxFileSize 500k ArchiveMaxFiles 10 ArchiveMaxCompressionRatio 200 Please note that my clamd.conf isn't a very good model - some options are not needed because they are enabled even without setting in clamd.conf - but it goes from many versions ago and I manually added new options after they were introduced. I've got no better advice for you than starting another clamd process with other clamd.conf containing other LocalSocket and other PidFile (can be done as an unpriviliged user also) and experimenting with it - adding/removing/modifying options - until you have received the missing detection. If you find something you believe is a bug, please report. -- Tomasz Papszun SysAdm @ TP S.A. Lodz, Poland | And it's only tomek at lodz.tpsa.pl http://www.lodz.tpsa.pl/iso/ | ones and zeros. tomek at clamav.net http://www.ClamAV.net/ A GPL virus scanner _______________________________________________ http://lurker.clamav.net/list/clamav-users.html