---------- Original Message ---------------------------------- From: "Len Conrad" <[email protected]> Reply-To: ClamAV users ML <[email protected]> Date: Thu, 13 Aug 2009 19:43:32 +0200
>From: Tomasz Kojm <[email protected]> >Reply-To: ClamAV users ML <[email protected]> >Date: Thu, 13 Aug 2009 18:37:16 +0200 > >>On Thu, 13 Aug 2009 18:14:14 +0200 >>"Len Conrad" <[email protected]> wrote: >> >>> I don't think there is any problem with the postfix/clamsmtpd/clam handoff. >>> >>> The clam scanning has missed only the W32.Elkern these past few days >>> (barracuda has caught on W32.Elkern), and caught everything else, eg today: >>> >>> egrep -i "status=virus" /var/log/ms1.xxx.net/maillog >>> >>> Aug 13 10:08:10 clamsmtpd: 1122E3: [email protected], >>> [email protected], status=VIRUS:Exploit.IFrame.Gen >> >>The fact your installation catches Exploit.IFrame.Gen doesn't mean it will >>detect other threats. The IFrame signature is one of the most basic ones but >>other signatures may require properly decoded attachments or even the entire >>raw messages so that libclamav can match some headers or do special >>decoding/preprocessing on its own. >> >>> Aug 13 10:19:40 clamsmtpd: 112524: [email protected], >>> [email protected], status=VIRUS:Exploit.IFrame.Gen >>> >>> Aug 13 10:49:27 clamsmtpd: 112BB4: [email protected], [email protected], >>> status=VIRUS:Exploit.IFrame.Gen >>> >>> netstat -nap | egrep -ic :10025 >>> 46 >>> >>> netstat -nap | egrep -ic :10026 >>> 1 >>> >>> So how could the sig be in the clam db, but clam selectively missing >>> W32.Elkern? >> >>There could be many reasons for that. Eg. there may be a configuration >>problem with your clamd (please provide the output of 'clamconf -n'), > >ok, I missed this: > >clamconf -n >Checking configuration files in /usr/local/etc > >Config file: clamd.conf >----------------------- >LogFile = "/var/log/clamd.log" >LogFileMaxSize disabled >LogTime = "yes" >LogSyslog = "yes" >LogFacility = "LOG_MAIL" >LogVerbose = "yes" >PidFile = "/var/run/clamd.pid" >LocalSocket = "/tmp/clamd.socket" >ScanMail disabled <<<<<<<<<<<<<<<<<<<< > >fixed. > > or it >>may not be getting the proper data from clamsmtpd (does it take care of >>attachment extracting or passes the entire message to clamd?). Can you >>get a copy of the infected mail from your Barracuda? > >I submitted the msg, as much of the 100KB that Barracuda allowed, to the clam >website. > >thanks >Len that fixed it: Aug 13 13:28:03 ms1.hctc.net/ms1.hctc.net clamsmtpd: 114B8F: [email protected], [email protected], status=VIRUS:W32.Elkern.C Aug 13 13:40:49 ms1.hctc.net/ms1.hctc.net clamsmtpd: 114DC5: [email protected], [email protected], status=VIRUS:W32.Elkern.C Aug 13 13:51:39 ms1.hctc.net/ms1.hctc.net clamsmtpd: 114FA3: [email protected], [email protected], status=VIRUS:W32.Elkern.C thanks Len _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
