On 11/24/06, Jon Smith <[EMAIL PROTECTED]> wrote:
On 11/24/06, Tomasz Papszun <[EMAIL PROTECTED]> wrote: > > On Fri, 24 Nov 2006 at 13:34:37 -0600, Jon Smith wrote: > > On 11/24/06, Jon Smith <[EMAIL PROTECTED]> wrote: > [...] > > So, apparently it's just not tagging the messages? I'm going to man > > clamav-milter conf to see if maybe I just forgot to enable the > addition of > > the X-Spam-Status tags? > > Sorry if I've missed some detail but why not just send a test message > containing EICAR test "virus" and see whether the system stops it or > not? > That's what I'm doing right now, Thanks Tomasz :) Still wondering a) why isn't it writing anything to my clamd.milter log file and b) why isn't it tagging messages as clean in the header?
I changed my milter.conf to scan Archives, and restarted clamav-milter. Then I tested it with the EICAR signature, and the mail went through without clamav saying a word. From the maillog: Nov 24 14:26:28 <hostname> sendmail[18996]: kAOKQSta018996: from=root, size=653, class=0, nrcpts=1, msgid=<20061124202628.GA18990@<hostname>..<domain>>, [EMAIL PROTECTED] Nov 24 14:26:28 <hostname> sendmail[18997]: NOQUEUE: connect from <hostname>..<domain> [127.0.0.1] Nov 24 14:26:28 <hostname> sendmail[18997]: AUTH: available mech=PLAIN LOGIN ANONYMOUS, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 Nov 24 14:26:28 <hostname> sendmail[18997]: kAOKQSHo018997: Milter (Clamav): init success to negotiate Nov 24 14:26:28 <hostname> sendmail[18997]: kAOKQSHo018997: Milter: connect to filters Nov 24 14:26:28 <hostname> sendmail[18997]: kAOKQSHo018997: milter=Clamav, action=connect, accepted Nov 24 14:26:28 <hostname> sendmail[18997]: kAOKQSHo018997: from=<root@<hostname>..<domain>>, size=832, class=0, nrcpts=1, msgid=< 20061124202628.GA18990@<hostname>..<domain>>, proto=ESMTP, daemon=MTA, relay=<hostname>..<domain> [127.0.0.1] Nov 24 14:26:28 <hostname> sendmail[18997]: kAOKQSHo018997: Milter accept: message Nov 24 14:26:28 <hostname> sendmail[18996]: kAOKQSta018996: to=<user>@<hostname>..<domain>, ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00, mailer=relay, pri=30653, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (kAOKQSHo018997 Message accepted for delivery) Nov 24 14:26:28 <hostname> sendmail[18999]: kAOKQSHo018997: to=<<user>@<hostname>..<domain>>, ctladdr=<root@<hostname>..<domain>> (0/0), delay=00:00:00, xdelay=00:00:00, mailer=local, pri=31096, dsn=2.0.0, stat=Sent Nov 24 14:26:28 <hostname> sendmail[18999]: kAOKQSHo018997: done; delay=00:00:00, ntries=1 But, if I clamdscan the attached file: [root@<hostname> ~]# clamdscan --config-file=/etc/clamd.d/srv.conf /tmp/eicarcom2.zip /tmp/eicarcom2.zip: Eicar-Test-Signature FOUND ----------- SCAN SUMMARY ----------- Infected files: 1 Time: 0.000 sec (0 m 0 s) I'm a little lost here. The message was obviously passed to the milter ... which accepted it, and never detected the virus. To send this I just used mutt to write a quick message to another local user and attached the eicarcom2.zip (yes I'm scanning up to 9 levels of archive depth, 15mb limit, no reason this shouldn't have been scanned). Anyone have any ideas? I'm about to the point where I'm ready to just start digging through the clamav-milter source and see what in the world is going on. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
