On 04/22/2010 10:01 AM, Thomas Herzog wrote:
>
> Amavis seems to be calling the clam deamon, it finds also some other
> exploits, viruses...
> /var/log/clamav/clamav.log:
> Thu Apr 22 08:15:07 2010 -> /tmp/UPS_invoice_4557.zip:
> Suspect.Bredozip-zippwd-5 FOUND
BTW attachments are automatically removed on this mailing list.
> Thu Apr 22 08:23:53 2010 ->
> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p002:
> Exploit.HTML.IFrame-8 FOUND
> Thu Apr 22 08:23:53 2010 ->
> /var/lib/amavis/tmp/amavis-20100422T082307-19639/parts/p003: Worm.NetSky-14
> FOUND
>
> Here you can see (UPS_invoice_4557.zip) was recognized with manually
> scanning.
Is that the email, or the attachment? I guess it is the attachment.
Try scanning the email containing that attachment with
clamscan/clamdscan, and see if it is detected.
>
> lxhv1m02:~# dpkg -l | grep clam
> ii clamav 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - command-line i
> ii clamav-base 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - base package
> ii clamav-daemon 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - scanner daemon
> ii clamav-freshclam 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - virus database
> ii libclamav6 0.95.3+dfsg-1~volatile1 anti-virus
> utility for Unix - library
>
> lxhv1m02:~# ps -eaf| grep clam
> clamav 2926 1 0 2009 ? 00:01:49 /usr/bin/freshclam -d
> --quiet
> clamav 16517 1 1 Apr21 ? 00:12:39 /usr/sbin/clamd
> root 25902 23655 0 08:58 pts/1 00:00:00 grep clam
>
> lxhv1m02:~# grep ctl /etc/amavis/conf.d/15-av_scanners
> \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],
>
> lxhv1m02:~# grep ctl /etc/clamav/clamd.conf
> LocalSocket /var/run/clamav/clamd.ctl
>
> Looks good to me...any ideas left?
>
> /Thomas
>
>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
