lamAV doesn't seem to pick up viruses

[Reuven M. Lerner]

Eric Smoker wrote:

I'm not sure what your problem is. I run clamav (0.67) and it runs 
well. In fact it has been beating Norton and RAV in database updates 
for the last few weeks of outbreaks. Not sure why you can't find all 
viruses. Do you have zlib libraries loaded? Clamd isn't perfect yet 
(what scanner is) but it isn't bad in my opin.
I think that I have all of the libraries loaded.  Indeed, I just 
recompiled clamav, and made sure that all of the libraries (including 
GMP and bzip) were installed before I compiled and installed. 

I have a funny feeling that I still did something wrong, though. For 
example, I put a bunch of mail messages into /tmp/infected:

   [EMAIL PROTECTED] infected]# grep -l '\.pif' *
   es7z4f8AwD
   jlrxgSthpE
   message.pif
   prSsdMCCew
   uh9Tf38ENQ
And yet:

   [EMAIL PROTECTED] infected]# for file in `grep -l '\.pif' *`; do
   clamdscan $file; done
   /tmp/infected/es7z4f8AwD: OK
                                                                                  

   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.053 sec (0 m 0 s)
   /tmp/infected/jlrxgSthpE: OK
    
   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.041 sec (0 m 0 s)
   /tmp/infected/message.pif: Worm.SomeFool.I FOUND
    
   ----------- SCAN SUMMARY -----------
   Infected files: 1
   Time: 0.294 sec (0 m 0 s)
   /tmp/infected/prSsdMCCew: OK
    
   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.056 sec (0 m 0 s)
   /tmp/infected/uh9Tf38ENQ: OK
    
   ----------- SCAN SUMMARY -----------
   Infected files: 0
   Time: 0.043 sec (0 m 0 s)

(I get the same results with clamscan, rather than clamdscan.)  So I 
have a feeling that the problem is with my installation of clamav, not 
with the clamav plugin. 

I think the most obvious problem you may have overlooked is that if 
you don't uncomment line 57 (return (DENY, "Virus Found: $output");) 
of the clamav plugin (v0.27) the only thing the plugin will do is add 
a header to the mail message of X-Virus-Found=Yes. This doesn't do 
much if your mail client isn't setup to filter this header.
Actually, I made this change when I installed the clamav plugin.  And it 
looks like clamav is identifying *some* incoming viruses.  But it's 
happening far too infrequently.

Your MaxThreads in your clamav.conf file needs to be => qmail's 
concurrencyincoming file or any simultaneous SMTP sessions over your 
MaxThreads won't invoke clam.
This was a great suggestion; I made the change, and clamdscan now runs 
*far* faster than it did before.  Unfortunately, the results haven't 
really changed that much.

Reuven