[EMAIL PROTECTED] wrote:
Previously, I noted that clamav was picking up a virus here and there, but not very many. I haven't seen it pick up anything in a long while, now, but I do know that MyDoom is still getting through. The clamav plugin command line I use is the same that everyone else reported, whether with clamdscan or clamscan (including the --mbox argument).
Any ideas why my setup is not catching this?
Mine isn't catching anything when run via qpsmtpd-clamav, but qmail-scanner-queue.pl is picking them up (which is sort of a bit late). On an older RH7.x box, I have to run clam version 0.60 because 0.65 won't compile, and it doesn't even catch the new worm, even with an up to date virus database.
I found out through some troubleshooting that the clamav user doesn't have access to read the files created by qpsmtpd to scan them, so it silently bows out. After adding a system("chmod a+r $tmpfile") it stopped complaining, but it still didn't catch the worm.
I ended up modifying check_for_hi_virus (posted on this list a while back) to look for some of the known worm filenames, and to block unauthorized extensions before they get to qmail-scanner-queue.pl. Works like a charm for now (although I've pretty much had to block .zip files altogether).
See it below. You could change DENY to DENYHARD if you wanted to, but AFAIK you have to define DENYHARD in more places than the most recent DENYHARD patches do. My apologies for any wrapped lines.
-- Bryan
################################################## #!/usr/bin/perl -w
sub register {
my $self = shift;
$self->register_hook('data_post', 'check_for_hi_virus');
}sub check_for_hi_virus {
my ($self, $transaction) = @_; # make sure we read from the beginning;
$transaction->body_resetpos; my $line_number = 0;
my $seen_file = 0;
my $ct_filename = '';
my $cd_filename = ''; while ($_ = $transaction->body_getline) {
last if $line_number++ > 90;
if (/^Content-Type: (.*)/) {
# my $val = $1;
# get the next line
my $val = $transaction->body_getline;
if ($val =~ /name="(.*)"/) {
$seen_file = 1;
$ct_filename = $1;
}
}
if (/^Content-Disposition: (.*)/) {
# my $val = $1;
# get the next line
my $val = $transaction->body_getline;
if ($val =~ /filename="(.*)"/) {
$seen_file = 1;
$cd_filename = $1;
}
}
}# if you want to log this stuff to the maillog, uncomment these and add # the "sub maillog" subroutine below to lib/Qpsmtpd/Plugin.pm
if ($seen_file and $ct_filename and $cd_filename) {
if ($ct_filename ne $cd_filename) {
$self->log (3, "Blocked: Probably the 'Hi' virus");
#$self->maillog("Blocked: Probably the 'Hi' virus");
return (DENY, "Probably the 'Hi' virus");
} else {
my $firstpt = $ct_filename; my $lastpt = $ct_filename;
$firstpt =~ s/^(.*)\.\w{3}$/$1/;
$lastpt =~ s/.*\.(\w{3})$/$1/;
$self->log(3,"Checking attachment: $firstpt.$lastpt");
#
# this matches some of the filenames I've seen come through
#
if ($firstpt =~ /readme|doc|text|file|data|test|message|body/ and
$lastpt =~ /pif|scr|exe|cmd|bat|zip/) {
$self->log (3, "Blocked: Probably the 'Mydoom/Worm.SCO.A' virus ($firstpt.$lastpt)");
#$self->maillog("Blocked: Probably the 'Mydoom/Worm.SCO.A' virus ($firstpt.$lastpt)");
return (DENY, "Probably the 'Mydoom/Worm.SCO.A' virus ($firstpt.$lastpt found in message)");
#
# !! take out zip if you want to allow ZIP files through !!
#
} elsif ($lastpt =~ /pif|scr|exe|cmd|bat|dll|vbs|com|hta|wsh|lnk|zip/) {
$self->log (3, "Blocked: Unauthorized attachment ($firstpt.$lastpt)");
#$self->maillog("Blocked: Unauthorized attachment ($firstpt.$lastpt)");
return (DENY, "Blocked: Unauthorized attachment '$firstpt.$lastpt' in email (executable attachments not allowed)");
}
}
}
return DECLINED; }
########################################################
#
# Add this subroutine to lib/Qpsmtpd/Plugin.pm for maillog logging
#
# sub maillog {
# my $self = shift;
# my ($rest) = @_;
# $self->qp->maillog($self->plugin_name , $rest);
# }