I found when setting up clamav that the LocalSocket and TCPAddr options are mutually exclusive. You can either use unix sockets OR you can use TCP sockets. I chose unix sockets because I have no need for outsiders to be using my box. clamd refused to start for me with them both set.
'--mbox' isn't needed on the clamdscan command line because that's taken care of inside clamd with the ScanMail option. Does clamav detect the worm when you run the commands manually? Like... copy the maildir file (you do use Maildir, don't you?) to a temp location and run: clamdscan --stdout --disable-summary tempfilename If that doesn't find it then the problem is deeper. Here's my clamd.conf. Don't take it as gospel, I'm still a newbie and I chose some of my values "for the hell of it", but it's working for me. LogFile /var/log/clamav/clamd.log LogFileMaxSize 10M LogTime PidFile /var/lib/clamav/clamd.pid DataDirectory /var/lib/clamav LocalSocket /tmp/clamd FixStaleSocket StreamSaveToDisk StreamMaxLength 10M MaxThreads 10 MaxDirectoryRecursion 15 User clamav AllowSupplementaryGroups ScanMail ScanArchive ScanRAR ArchiveMaxFileSize 10M ArchiveMaxRecursion 6 ArchiveMaxFiles 1000 The AllowSupplementaryGroups option is so I can add the clamav user to the smtp user's group so user clamav can read the files to scan. I also had to chmod the files for group readablility inside the plugin. -f On Fri, 30 Jan 2004 [EMAIL PROTECTED] wrote: # On Wed, 28 Jan 2004, frank wrote: # # > Just today I installed clamav and I'm having problems with it too. In my # > case, I finally tracked it down to SPF. The SPF plugin adds a # > "Received-SPF:" header to the top of the message and I believe clamav is # > choking on it because it wants to read a plain "Received:" header. I # > haven't checked clamav sources but experimentation shows this to be the # > case. I guess I could add an extra blank "Received:" inside the plugin # > code for a quick fix. # # > So if at all possible, run and use clamd. # # With Guillaume's post, I requested that he send the worm to me, to # see if it would get through my clamav setup. It was running with the # latest definitions, but failed to catch it. # # On seeing the "clamdscan" vs "clamscan" in the discussion, I # switched to running it with clamd. Here's my /etc/clamav.conf file: # # LocalSocket /tmp/clamd # TCPAddr 127.0.0.1 # MaxConnectionQueueLength 30 # MaxThreads 20 # MaxDirectoryRecursion 15 # User clamav # ScanMail # ScanArchive # ArchiveMaxFileSize 10M # ArchiveMaxRecursion 5 # # I do not use SPF at all as all users send through their access # providers' SMTP boxes, not through my server, so the solution posted # previously should have no effect on my setup. # # Previously, I noted that clamav was picking up a virus here and # there, but not very many. I haven't seen it pick up anything in a long # while, now, but I do know that MyDoom is still getting through. The clamav # plugin command line I use is the same that everyone else reported, whether # with clamdscan or clamscan (including the --mbox argument). # # Any ideas why my setup is not catching this? # # Thanks. # # -- Nobody snuggles with Max Power. You strap yourself in and feel the "G"s!
