Bugger. Upgraded ClamAV this morning and still having the same issues. I have dug a little deeper. (ClamAV: 0.73 and MD: 2.41)
I have a small patch (sent back to MD) that logs which scanner found the virus so I could do some stats about it at some stage. I see log lines like: Jul 5 10:00:26 lime mimedefang.pl[7204]: MDLOG,i650048S013874,scanner, TREND-HTML_Netsky.P,TREND,<EMAIL1>,<EMAIL2>,Mail Delivery (failure EMAIL2) Great except that clamAV is ran first. This morning I thought I better look at the clamav-daemon log file. Fortunately MD uses the msgid in the directory name, so I would search for i650048S013874. And ClamAV had detected the virus (I checked a handful to be sure) so in the clamAV logs I can find a corresponding line: Mon Jul 5 10:00:26 2004 -> /var/spool/MIMEDefang/mdefang-650048S013874/ Work/INPUTMSG: Worm.SomeFool.P FOUND So now my head hurts (brick wall and all). My relevant filter and filter_begin portions are below. However, revewing them I think I have perhaps spotted a issue. I scan with message_containts_virus in filter_begin and then with entity_contains_virus in filter. I am wondering if this is the real cause of my grief (plus now I scan everything more than needed). Does anyone have any thoughts on it? (In the mean time I will try altering my -filter) Stewart This is in sub filter_begin(): my($code, $category, $action) = message_contains_virus(); This is near the top of sub filter($$$$): if ($FoundVirus) { my($code, $category, $action); $VirusScannerMessages = ""; ($code, $category, $action) = entity_contains_virus($entity); # If you are more paranoid, change to: if ($action eq "quarantine") { if ($category eq "virus") { md_graphdefang_log('virus',$VirusName, $RelayAddr); md_graphdefang_log('scanner',"$VirusScanner-$VirusName", $VirusScanner); # Bounce the mail! action_bounce("Virus $VirusName found in mail - rejected"); # But quarantine the part for examination later. Comment # the next line out if you don't want to bother. if ($VirusScanner eq "TREND") { action_quarantine_entire_message("Trend found a virus"); } #action_quarantine($entity, "A known virus was discovered and deleted. Virus-scanner messages follow:\n$VirusScannerMessages\n \n"); return; } if ($action eq "tempfail") { action_tempfail("Problem running virus-scanner"); md_syslog('warning', "Problem running virus scanner: code= $code, category=$category, action=$action"); } } On Wed, 2004-06-30 at 13:33 +1000, Stewart James wrote: > > Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 > > because of a Proxy issue, so I can't confirm if it actually did get > > fixed there. > > Well it's a 3 day wait (OK a couple more becuase that falls on a weekend > here). I will see if 0.73 resolves it for me, if not, I can start > looking at "why not" of it all. > > I will let the list know the outcome :) > > Cheers, > > Stewart > > _______________________________________________ > Visit http://www.mimedefang.org and http://www.canit.ca > MIMEDefang mailing list > [EMAIL PROTECTED] > http://lists.roaringpenguin.com/mailman/listinfo/mimedefang _______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang