Hi all,
This problem has been bugging me for a few hours now so I'm looking for
help.
I have created a custom signature of a zip file using the clamav sigtool
utility. I then add this into a file called custom.hdb in /var/lib/clamav.
Running clamscan test.zip tells me that the file is infected with test.zip.
Running clamdscan tells me that the file is infected with test.zip.
Mailing this zip file as an attachment passes through without incident -
though amavis is definitely pointed at the same clamd instance and will
detect other malware instances - so it's definitely not a ClamAV issue.
It's all very weird.
My current thinking is that it's something weird with amavis unpacking the
zip file into its constituent parts? I know that amavisd-new will unpack
archives into a temp folder and scan the files individually, though does it
scan the archive as a whole (meaning that my md5 hash will match the zip
file itself)?
ClamAV is definitely scanning the file (at least a file), as the log
entries below show:
(26182-01) ask_av (Clam Antivirus-clamd): query template1: CONTSCAN {}\n
(26182-01) Using (Clam Antivirus-clamd) on dir: CONTSCAN
/var/lib/amavis/amavis-20081212T143805-26182/parts\n
(26182-01) timer set to 10 s (was 320 s)
(26182-01) Clam Antivirus-clamd: Connecting to socket
/var/run/clamav/clamd.ctl
(26182-01) Clam Antivirus-clamd: Sending CONTSCAN
/var/lib/amavis/amavis-20081212T143805-26182/parts\n to UNIX socket
/var/run/clamav/clamd.ctl
(26182-01) prolong_timer ask_daemon_internal: timer set to 256 s
(26182-01) ask_av (Clam Antivirus-clamd) result:
/var/lib/amavis/amavis-20081212T143805-26182/parts: OK\n
(26182-01) ask_av (Clam Antivirus-clamd):
/var/lib/amavis/amavis-20081212T143805-26182/parts CLEAN
I have looked over the documentation for the means to have amavisd-new
leave the temporary files for me to check what is actually being scanned.
Is there some config option I'm missing somewhere? Do I have to tell
amavis to explicitly scan the zip file itself as well as the unpacked
parts.
Can anybody tell me why this isn't working as expected?
Thanks
Richard
------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
