[...] There is also trashscan in the clamav source tarball. It at least doesn't seem to require perl.
Yes, that's on the contrib page.
But I'm doing ok with just the --mbox option. It's not perfect, but we have never guaranteed our customers "no viruses". It gets a very large percentage of the current crop and keeps our support questions down.
If I had more CPU on the mail server, I would try harder to do it right.
THIS IS ALL PROBABLY HIGHLY VERSION DEPENDENT! I think clam is great, so don't want anybody to think this is any more than my prolonged experience in discovering the joys of reading (and heeding) the fine manpage.
Just to fast-motion what was a few days' frustration for me:
--- begin fast-motion replay ---
I'm using the precompiled binaries for Debian testing (sarge):
# clamscan -V clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916
OK, try this:
1. Find a copy of a message in mbox format infected with Bagle, and test it with something you know WILL find it:
# f-prot msg.8AIB Virus scanning report - 8 March 2004 @ 12:43
[...]
/home/spamd/VirusArchive/msg.8AIB->cda.zip->wleqncmf.exe Infection: W32/[EMAIL PROTECTED]
[...]
2. Try calling it via stdin with --mbox:
# cat msg.8AIB| clamscan --stdout --disable-summary --mbox - /tmp/4754c17f704e4cf3/Jennyqa4dsY: OK /tmp/4754c17f704e4cf3/daadb.zipQPhDd4.zip: Worm.Bagle.A3 FOUND
(at this point, I thought I was done. I merrily posted to this list crying Eureka!)
3. Read the caveat on the manpage about --mbox. Heed several posters calling attention to it. Try calling it via stdin without --mbox (i.e. :0 b procmail recipes):
# cat msg.8AIB| clamscan --stdout --disable-summary - stdin: OK
(at this point, I realized avoiding --mbox would be a problem.)
4. Try scanning that same file with clamav with the --mbox option:
# clamscan --stdout --disable-summary --mbox msg.8AIB msg.8AIB: OK
(at this point, we'd meandered down a procmail exercise in futility.)
5. Un-encode the message attachments and scan: # cat ../msg.8AIB | munpack munpack: reading from standard input tempdesc.txt: File exists cda.zip (application/octet-stream)
# clamdscan --stdout --disable-summary /home/spamd/VirusArchive/bageltest/cda.zip: Worm.Bagle.A3 FOUND
(at this point, I'd read enough to have the impression that scanning files (not stdin) *WITHOUT* --mbox is probably a safe bet.)
--- end fast-motion replay ---
In short: Calling clamscan/clamdscan from procmail (or rather, scanning stdin and/or the --mbox option) may yield unexpected results which can be a problem with anti-virus.
I decided to start cross-checking results to play it safe, so installed f-prot and bitdefender (both for my debian 386 install). (I realize this isn't a scalable ISP solution.) They each are called in very different ways, and yield very different results. I also realized that though very powerful, procmail was not necessariliy the best tool for this job (not to say it can't be done), so I started on those shell scripts I mentioned previously.
I since discovered Jame Lick's clamassassin script (http://drivel.com/clamassassin/) which uses a similar approach (save and scan message as file), and I prefer his embedded header (ala' spamassassin) approach. I still plan to incorporate decoding of mime-encoded messages just to play safe. I've created a version for f-prot and am working on one for bitdefender. It's worth mentioning that bitdefender is happiest when scanning unencoded files as well, so all this extra effort is worth it for me.
At this point, both clamav and f-prot are working (bitdefender to follow), inserting X-Virus-Status-<name>: and X-Virus-Report-<name>: headers. Initial tests with a handful of viruses indicate that both work, but each misses some the other doesn't.
I'm still testing with testvirus.org.
- Bob
