Michael Orlitzky wrote: > I finally caved and decided to install the SaneSecurity signatures for > ClamAV on my incoming mail host. However, I can't get the second > signature test[1] to pass. I was hoping somebody here could point me in > the right direction. > > I have already installed the SaneSecurity signatures. Mail comes in > through Postfix, and is filtered through amavisd-new (v2.6.3), which > then feeds the message through ClamAV (v0.95.1). It appears as if the > signatures are installed correctly, because Test #3 on [1] passes. > Everything else works as expected. > > According to the SaneSecurity docs, Amavis needs to pass the entire > message body, unmodified, to ClamAV. This is accomplished via > > $bypass_decode_parts = 1; > > which is set, and not re-defined further down in amavisd.conf. It > appears to work: > > [amavis] (17916-02) presenting full original message to scanners as > /var/amavis/tmp/amavis-20090624T145243-17916/parts/p001 > > However, ClamAV doesn't catch the subject header, which contains the > string from Test #2: > > [amavis] (17916-02) ClamAV-clamd: Sending CONTSCAN > /var/amavis/tmp/amavis-20090624T145243-17916/parts\n to UNIX socket > /var/run/clamav/clamd.sock > > [amavis] (17916-02) ask_av (ClamAV-clamd) result: > /var/amavis/tmp/amavis-20090624T145243-17916/parts: OK\n > > Now, at this point, I figured the message must have been mangled, or > that I was pasting the signature incorrectly. But, since I receive the > test message in my inbox, I was able to copy both the source and the > final messages to the mail host in question. Running clamdscan directly > *does* find the signature: > > # clamdscan test.msg > /test.msg: Sanesecurity.TestSig_Type4_Hdr.UNOFFICIAL FOUND > > ----------- SCAN SUMMARY ----------- > Infected files: 1 > Time: 0.013 sec (0 m 0 s) > > So, my conclusion is that.. something is wonky, but I'm not sure where. > Anyone have an idea? >
Try copying the sanesecurity.ftm to your clamav database directory. Your update script might have settings to do this for you. -- Noel Jones ------------------------------------------------------------------------------ _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
