I have latest amavisd-new and clamd from Debian Lenny /backports. It does not seem to recognise virii in email (just this one kind of trojan is the culprit), but clamd reports fine when trying manually the email attachment later.
----------------------------------------------------------------------- No viruses were found. Banned name: .exe,.exe-ms,DHL_document_82660.exe Content type: Banned Internal reference code for the message is 03868-14/nWyd3d+5Bl4H First upstream SMTP client IP address: [10.123.29.115] According to a 'Received:' trace, the message originated at: [81.45.236.37], 81.45.236.37 Return-Path: <cour...@dhl-usa.com> From: "Manager Janell Blackmon" <cour...@dhl-usa.com> Message-ID: <000d01ca91d5$fb4bc970$6400a...@spedthbu6> Subject: DHL Express Services. Please get your parcel NR.4290 The message has been quarantined as: n/banned-nWyd3d+5Bl4H ----------------------------------------------------------------------- Manual scan: ja...@spitfire:~/tmp$ clamscan DHL_document_82660.zip DHL_document_82660.zip: Suspect.Bredozip-zippwd-2 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 732576 Engine version: 0.95.3 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Data read: 0.02 MB (ratio 0.00:1) Time: 36.293 sec (0 m 36 s) It's always that Bredolab that is not recognised, so it seems. Other kinds of virii reported ok, I think. If I configure other scanners for amavisd those will get recognised by the other scanners ok (F-Prot, BitDefender). My amavisd config for clamd is as follows (should be stock). ### http://www.clamav.net/ ['ClamAV-clamd', \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"], qr/\bOK$/, qr/\bFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ], # NOTE: remember to add the clamav user to the amavis group, and # to properly set clamd to init supplementary groups # When running chrooted one may prefer: ["CONTSCAN {}\n","$MYHOME/clamd"], # ### http://www.clamav.net/ and CPAN (memory-hungry! clamd is preferred) # ['Mail::ClamAV', \&ask_clamav, "*", [0], [1], qr/^INFECTED: (.+)/], What might it be? I already asked from clamav list, but they told me to ask amavisd community. ------------------------------------------------------------------------------ This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev _______________________________________________ AMaViS-user mailing list AMaViS-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
