[...] --mbox works fine here. This is the variation I'm useing, and I believe I'm the original person who posted the method of useing backticks:
VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -`
Interesting. My manpage for clamdscan doesn't show an --mbox option. What version are you using?
Here's what I'd appreciate anybody calling clamav directly from procmail testing:
1. Go to testvirus.org and send "Test #11: Eicar virus within a ZIP file" to an account that is scanned.
2. Check out the message headers. Here's what I got:
X-Virus-Text: No virus seen. << Using your inline procmail test X-Virus-Status-fprot: Yes << Called via the wrapper script for f-prot X-Virus-Report-fprot: EICAR_Test_File
with this in /etc/procmailrc:
VIRUS=`/usr/bin/clamdscan --mbox --disable-summary --stdout -`
:0 Difw << Note: Made it a filter * VIRUS ?? FOUND | formail -A "X-Virus-Test: Virus seen."
:0 Efw | formail -A "X-Virus-Text: No virus seen."
3. Extract that message to a file (mbox format) and scan it as-is:
$ clamscan -V clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916
$ clamdscan -V clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916
CLAMDSCAN $ clamdscan --mbox --disable-summary msg.w9GD /home/spamd/VirusArchive1/msg.w9GD: OK
$ clamdscan --disable-summary msg.w9GD /home/spamd/VirusArchive1/msg.w9GD: OK
$ cat msg.w9GD | clamdscan --disable-summary - stream: OK
$ cat msg.w9GD | clamdscan --mbox --disable-summary -
stream: OK
(this is how you called it, right?)
CLAMSCAN $ clamscan --mbox --disable-summary msg.w9GD msg.w9GD: OK
$ clamscan --disable-summary msg.w9GD msg.w9GD: OK
$ cat msg.w9GD | clamscan --disable-summary - stdin: OK
$ cat msg.w9GD | clamscan --mbox --disable-summary -
/tmp/12d3919594661c61/eicar.zipeNrxos.zip: Eicar-Test-Signature FOUND
Notice that only that last one! clamscan (not clamdscan) with mbox appears to work. From the manpage, I'm not sure how stable --mbox is though.
$ cd unpacked $ munpack ../msg.w9GD $ clamscan --disable-summary /home/spamd/VirusArchive1/unpacked/eicar.zip: Eicar-Test-Signature FOUND /home/spamd/VirusArchive1/unpacked/eicar.desc: OK
$ clamdscan --disable-summary /home/spamd/VirusArchive1/unpacked/eicar.zip: Eicar-Test-Signature FOUND
So, from here, it seems:
1. clamdscan is faster, but doesn't do --mbox at all (no surprise, not on manpage).
2. clamscan does --mbox, though the manpage warns against it.
3. Other variations reading stdin without --mbox don't seem to work. On the procmail list, we went through several variations on procmail with :0 wWhb etc. in varying combinations.
4. Scanning un-encoded files seems to work reliably (or at least consistently).
To make this somewhat relevant to SA, using the wrapper script (or whatever means), headers can be inserted for scoring and use in metas.
- Bob
