At 02:04 PM 5/18/2007, Bill Landry wrote: >Mark Martinec wrote the following on 5/18/2007 11:52 AM -0800: > > Bill, > > > > > >> [ qr'^(Email|HTML)\.(Phishing|Spam|Scam[a-z0-9]?)\.'i => 0.1 ], > >> [ qr'^(Email|Html)\.Malware\.Sanesecurity\.' => undef], > >> [ qr'^(Email|Html)(\.[^., ]*)*\.Sanesecurity\.' => 0.1 ], > >> [ qr'^(MSRBL-Images/|MSRBL-SPAM\.)' => 0.1 ], > >> > > > > > >> However, it does not seem to detect and quarantine any signature that > >> starts with "Email", even though clamdscan corrected detects and reports > >> the malware signature: > >> test.msg: Email.Malware.Sanesecurity.07051800 FOUND > >> The entries in amavisd.conf look correct, but for some reason, malware > >> signatures beginning with "Email" do not get detected and quarantined by > >> amaviad-new. Thoughts? > >> > > > > Why do you have the second entry (... => undef) ??? > > If matched, it terminates the search and reports that a lookup > > did not find enything. You probably intended to just remove the line. > > > > Mark > > >Hi Mark, > >It's setup this way because that's the way you have it shown in the >amavisd.conf-default file that comes with the distro, and I want the >file to be quarantined. However, Steve had me try the following: >===== >Change this signature from: > >Email.Malware.Sanesecurity.07051800:4:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c > >to: >Email.Malware.Sanesecurity.07051800:0:*:687474703a2f2f6d61696c2e756262692e636f6d2e62722f7664526663326174742f7266633261747461636832302e646c6c > >Ie. change the type 4 (mail file) to type 0 (all file types). Save and >re-load clamd.... > >Now re-send the ecard to yourself... is it detected now? > >If it does work then it looks like amavisd-new separates the headers >from the body...and then uses clamd to scan the body ONLY... which might >be no type 4 (Email.) would ever work? But I'm sure you would have >noticed. >===== > >and without any changes to the amavisd.conf file, amavisd-new now >correctly identifies the malware and quarantines the >message. Mark/Steve, how would you suggest we handle these going forward? > >Thanks, > >Bill
Bill, Amavisd-new by default unpacks the mail and virus scans the parts. This is intended behavior because of historically poor mime support in some commercial virus scanners. You can adjust @keep_decoded_original_maps to include MAIL so the raw message is also provided to clam, or $bypass_decode_parts which affects banned filename matching. See the comments in amavisd.conf-sample. -- Noel Jones ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/