-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kaplan, Andrew H. wrote:
>> That's from MailScanner, indirectly from clamav. > > If there is a problem with ClamAV, perhaps the first step would be to upgrade > ClamAV to version 0.88.1? You misunderstood, there is no problem with clamav, the message you get is normal for MailScanner and some settings. You should upgrade clamav, which at this time is version 0.88.4, but the reason is to get the latest functionality and bug fixes, not to "fix" your problem. > At the very least it would help determine if the problem lies with the > anti-virus software. Your thoughts? The problem could turn out to be not a problem: I've seen the same message only once, when one of our users sent another a zip file that had a very large number of files and a very deep directory structure (normal with java); the file was marked as false positive because MailScanner does have, by default, settings that trip the DoS attack message. >> One user only? What kind of configuration do you have, MailScanner + > MailWatch? > > At this point it appears to be only one user, although another user did > report a > relatively high amount of > virus warnings. The configuration we have is MailScanner 4.54-1 with ClamAV > 0.88.1 and SpamAssassin 3.03. Could it be just one message that is causing the problem? To me, it seems very strange that only _one_ user has this problem with _all_ his messages... it really makes no sense. More likely is that the same message has been retried time and time again, MailScanner will not let it through unless you change the parameters. The default parameters in MS are the same that clamd uses, the relevant ones are: Virus Scanners = clamavmodule Virus Scanner Timeout = 60 ClamAVmodule Maximum Recursion Level = 8 ClamAVmodule Maximum Files = 1000 ClamAVmodule Maximum File Size = 10000000 # (10 Mbytes) ClamAVmodule Maximum Compression Ratio = 250 The best way to see if you need to change these is to look at the log and see what caused the alarm, was it an archive file (zip, tgz, tar.gz, etc.), is the file in your quarantine? can you see if it breaks any of those limits? I'm assuming that the timeout is OK, one minute is long enough to scan any "usual" attachment. So the option is to increase the first 2 parameters (recursion level and files) or even disable them (with a zero). The size shouldn't be a problem, is just a limit that tells clamav not to scan anything bigger than that... you could lower it, virus usually come in small files, that will avoid possible timeouts with very large attachments (a 10 MB zip probably will take close to the 60 sec limit between the unziping and scanning and it depends also in the machine load). - -- René Berber -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (Cygwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE2jcEL3NNweKTRgwRAv68AKDY7uuNrE6tczL8AH+kgcngsoJVywCeLwnv mk+NzoPs9bYb7tvozYq7Lgg= =A8yz -----END PGP SIGNATURE----- _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
