On 3/22/2019 6:58 AM, Alessandro Vesely via clamav-users wrote: > On Thu 21/Mar/2019 21:21:45 +0100 Bowie Bailey wrote: >> >> And here's the problem. SecuriteInfo has their own Eicar signatures, so >> ClamAV found >> those first and not the one you were expecting. My header looks like this: >> >> ClamAV-Found: SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL >> SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL >> SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL >> Eicar-Test-Signature.UNOFFICIAL >> SecuriteInfo.com.Eicar-Test-Signature.UNOFFICIAL >> SecuriteInfo.com.Eicar-Test-Signature-4.UNOFFICIAL >> SecuriteInfo.com.Eicar-Test-Signature-2.UNOFFICIAL >> Eicar-Test-Signature.UNOFFICIAL > > Uh, yeah, can be. The small database is made like so: > > test.ndb: > sigtool -f Eicar-Test-Signature > $@ > > where the argument to -f is a regular expression. So the database seems to > contain four matching signatures. Your database (like mine) probably has > much more matching signatures, such as Win.Test.EICAR_NDB-1, whose names > don't match the above regex.
Maybe you should limit that regex so it only matches the official ClamAV signature. sigtool -f '^Eicar-Test-Signature' > $@ > >> Not sure why everything is duplicated... >> After testing the sigtool command above, it looks like the duplication comes from matching multiple types of files in the database directory. daily.ndu, daily.ndb, daily.ldu, and daily.ldb all matched an Eicar signature on my system. I don't see a way with sigtool to limit the match to a particular file type without having to specify the directory. Maybe you could just drop all but the first match from the results. (Although I guess it really doesn't matter since it is only used for the test) Something like this: sigtool -f '^Eicar-Test-Signature' | grep -m 1 . > $@ Actually, after testing that, I still get the header duplication with only 1 signature in the database. Oh well... ClamAV-Found: Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL Eicar-Test-Signature.UNOFFICIAL >> No, egrep works fine once the regex is adjusted to match the header. > > Fine. I'll change that command to "egrep -i '^ClamAV-Found: .*Eicar' > eicar.mail". > > Thank you for the fix. If you change how the test database is generated, then you can stick with the original regex. > >> I guess I should have specified that I'm running this on CentOS 7, not that >> it >> matters at this point. >> >> Looks like everything is working now. I'll try integrating it with Courier >> tomorrow. If I just want to reject any email that is flagged by ClamAV, I >> shouldn't >> need to adjust the default config, right? > > Correct, reject is the default. You probably need to set "database" to the > same directory you configured as "DatabaseDirectory" in freshclam.conf. > Also, recall that clamd.conf is not read; please see avfilter.conf(5) if you > need to set clamav options. The database option defaulted to the right location, so I didn't need to adjust that. I did need to go through the other clam options and adjust them to match what I was using with clamd. Oddly, the defaults in clamd aren't quite the same as the defaults in clamscan. Annoyingly, the option names aren't quite the same either... Everything is working now. I have avfilter installed and running on Courier with pythonfilter now just doing the rate limiting. The only problem I have found is that since my databases take so long to load, avfilter_sig times out when reloading the virus definitions. Is there a way to increase the timeout for avfilter_sig? -- Bowie _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
