Hi Chris,
I want to notice that point which is undocumented: If you make tests
with eicar pattern comes from qsheff-r2 source, please consider that, I
added "REMOVETHIS" pattern at the begining of the pattern and the middle
of the pattern. Because of we cannot move/transfer original eicar
pattern over the network. Virus defencers block it. Thats just a remind,
i want to be sure about that, the problem is not connected to it.
I've just done a test by following way:
- edit eicar.com.txt, remove REMOVETHIS patterns (there are 2)
- zip e.zip eicar.com.txt
- Moved it another mail server (because of the local-user option not
used at compile time.)
- I used mutt to attach it.
- And i sent...
Log is here:
28/03/2006 11:35:11: [qSheff] CLAMD, queue=q-1143534911-558892-12468,
recvfrom=64.90.164.206, [EMAIL PROTECTED]',
[EMAIL PROTECTED]', subj=`virus test', size=1052,
prog=`clamd', virus=`Eicar-Test-Signature'
So,
If you didn't use eicar pattern from -r2 there are 2 possibility i
should test:
- Patches you applied to clamav
- Linux, especially Debian (coz i am bsd user)
I'll wait for your response.
regards,
Baris Simsek
http://www.enderunix.org/simsek/
Developer, debelen dur.
Chris Mlynarski wrote:
Hello,
I have a very strange problem with qsheff with clamav-0.88+rar3-patch (under
Debian/Sarge+up to date patches installed).
I'm using clamav for two years now, w/o any problems (clamd, clamscan, and
clamdscan are working well, and really stable).
I was doing a ClamAV upgrades, but not a qsheff upgrades, which was installed in
0.8-r3 wersion, with the following config:
WORKDIRPREFIX = /var/spool/qsheffq
TEMPDIRPREFIX = /var/tmp/qsheffq
LOGFILE = /var/log/qsheff.log
RULEFILE = /usr/local/etc/qsheff.rules
WBLISTFILE = /usr/local/etc/qsheff.wblist
enable_blackhole = 1
paronia_level = 0
enable_quarantine = 0
enable_wblist = 0
enable_subject_filter = 1
enable_spam_prog = 0
enable_virus_prog = 1
MIME_PROG = "/usr/local/bin/ripmime -i mesg -e -d"
MIME_PROG_OK_RET = 0
MIME_PROG_ERR_RET = -1
SPAM_PROG = "/usr/local/bin/zabit -i -d"
SPAM_PROG_OK_RET = 0
SPAM_PROG_SPAM_RET = 1
SPAM_PROG_ERR_RET = 2
VIRUS_PROG = "/usr/local/bin/clamdscan --quiet"
VIRUS_PROG_OK_RET = 0
VIRUS_PROG_VIRUS_RET = 1
VIRUS_PROG_ERR_RET = 2
QUEUE_PROG = /var/qmail/bin/qmail-queue.orig
... and all was working really good!
Last weekend I discovered ;) qheff-2.0-r1. It has many new interesting features
(especially the advanced filters), so I decided to upgrade.
I used a configure script with the following options:
./configure --with-clamd-socket=/tmp/clamd -with-qmailgroup=qmail --with-clamav
--enable-local-users
(yes, the /tmp/clamd socket is where it should be, clamd is up and running):
srwxrwxrwx 1 clamav clamav 0 Mar 26 14:26 clamd
... then I compiled it (w/o problems), then stopped the qmail, uninstalled the
old qsheff (deleting all the remains "by hand"), and then I installed the new
one, and ran a install-wrapper.sh script (all was checked twice :))
All went (in theory) good.
Mail was delivered all the time, but... one of my users has told me today, that
he is receiving viruses in *.zip archives! (There was no trace in
/var/log/clamav/clamd.log of any found viruses - since the new version of qsheff
was installed... strange, isn't it?).
So... I've got one *.zip archive with virus inside, and I started to investigate
it. Geez... in fact, clam(d)scan found VIRUS in the file each time!
But, when the same file is send via SMTP from my workstation, then qsheff is
passing it to QUEUE, and e-mail with such attachment is passing w/o any
troubles. WHY??
I tested this with both qsheff releases: 2.0-r1 (and now 2.0-r2), and 1.0-r5 -
in both cases there are NO ERRORS, but e-mails with viruses in attachments are
not killed, and qsheff is putting them to the queue as SAFE. :(
In qsheff 1.0-r5 I tested it with clamd enabled, and with clamd disabled, and
clamdscan set as external VIRUSPROG - e-mail are passing...
Now I can only return to 0.8-r3, and it is working well with my clamdscan, as
before, but this is not exactly what I wanted... :(
Could anyone help, pls?
Besttest,
-Chris
PS.
My qsheff-2.0-r2 config:
QSHEFFDIR = /var/qsheff
LOGFILE = /var/log/qsheff.log
debug_level = 99
paronia_level = 0
drop_empty_line = 1
enable_blackhole = 1
enable_quarantine = 0
enable_wblist = 0
enable_header_filter = 1
enable_body_filter = 1
enable_attach_filter = 1
enable_clamd = 1
MIME_PROG = "/usr/local/bin/ripmime"
enable_custom_prog = 0
CUSTOM_PROG = "/path/to/filter_prog -param1 -param2"
CUSTOM_PROG_OK_RET = 0
CUSTOM_PROG_CUSTOM_RET = 1
CUSTOM_PROG_ERR_RET = 2
- I'm using the newest ripmime: v1.4.0.6
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
