Re: [Mimedefang] ClamAV not detecting all viruses
Anyway, as of this posting, entity_contains_virus() functions are officially deprecated. They may be removed in a future version of MIMEDefang. thats funny - I thought message_contains_virus was depracated and entity_contains_virus was replacing it. That solves my problems pretty damn quick. Thanks David, Stewart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Bugger. Upgraded ClamAV this morning and still having the same issues.
I have dug a little deeper. (ClamAV: 0.73 and MD: 2.41)
I have a small patch (sent back to MD) that logs which scanner found the
virus so I could do some stats about it at some stage. I see log lines
like:
Jul 5 10:00:26 lime mimedefang.pl[7204]: MDLOG,i650048S013874,scanner,
TREND-HTML_Netsky.P,TREND,EMAIL1,EMAIL2,Mail Delivery (failure
EMAIL2)
Great except that clamAV is ran first. This morning I thought I better
look at the clamav-daemon log file. Fortunately MD uses the msgid in the
directory name, so I would search for i650048S013874. And ClamAV had
detected the virus (I checked a handful to be sure) so in the clamAV
logs I can find a corresponding line:
Mon Jul 5 10:00:26 2004 - /var/spool/MIMEDefang/mdefang-650048S013874/
Work/INPUTMSG: Worm.SomeFool.P FOUND
So now my head hurts (brick wall and all). My relevant filter and
filter_begin portions are below. However, revewing them I think I have
perhaps spotted a issue. I scan with message_containts_virus in
filter_begin and then with entity_contains_virus in filter. I am
wondering if this is the real cause of my grief (plus now I scan
everything more than needed).
Does anyone have any thoughts on it? (In the mean time I will try
altering my -filter)
Stewart
This is in sub filter_begin():
my($code, $category, $action) = message_contains_virus();
This is near the top of sub filter():
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = ;
($code, $category, $action) = entity_contains_virus($entity);
# If you are more paranoid, change to: if ($action eq
quarantine) {
if ($category eq virus) {
md_graphdefang_log('virus',$VirusName, $RelayAddr);
md_graphdefang_log('scanner',$VirusScanner-$VirusName,
$VirusScanner);
# Bounce the mail!
action_bounce(Virus $VirusName found in mail - rejected);
# But quarantine the part for examination later. Comment
# the next line out if you don't want to bother.
if ($VirusScanner eq TREND) {
action_quarantine_entire_message(Trend found a
virus);
}
#action_quarantine($entity, A known virus was discovered
and deleted. Virus-scanner messages follow:\n$VirusScannerMessages\n
\n);
return;
}
if ($action eq tempfail) {
action_tempfail(Problem running virus-scanner);
md_syslog('warning', Problem running virus scanner: code=
$code, category=$category, action=$action);
}
}
On Wed, 2004-06-30 at 13:33 +1000, Stewart James wrote:
Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72
because of a Proxy issue, so I can't confirm if it actually did get
fixed there.
Well it's a 3 day wait (OK a couple more becuase that falls on a weekend
here). I will see if 0.73 resolves it for me, if not, I can start
looking at why not of it all.
I will let the list know the outcome :)
Cheers,
Stewart
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
So now my head hurts (brick wall and all). My relevant filter and filter_begin portions are below. However, revewing them I think I have perhaps spotted a issue. I scan with message_containts_virus in filter_begin and then with entity_contains_virus in filter. I am wondering if this is the real cause of my grief (plus now I scan everything more than needed). My heads starting to recover from the weekend and I can elaborate a bit further. First. If I put some code in the filter_begin to reject messages not just run message_contain_virus, it will work better and trend will not get called. But, the reason why is not what I can call good news. On some viruses. ClamAV finds the virus when ran by message_contains_virus - which is good. But as my current filter does not reject at this point and continues onto entity_contains_virus I seem to find a problem. when ClamAV is then ran over the same message with entity_contains_virus. It fails to detect it and the routine falls through to TREND. So while I can simply put some code in filter_begin to repair my problem I can a little concerned that I may have found a bigger issue - namely varied results with clamAV depending on wether it is called with message_ or entity_ Has anyone else noticed this? Perhaps it is a bug/issue in 2.41 that has since been fixed? I will try and dig a bit deeper and see if I can figure out why entity_contains_virus and clamAV miss viruses that it detected with message_contains_virus. Cheers, Stewart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Stewart James wrote: OK here is the situation. I have clamav-daemon which is run before trend micro's vscan. The majority of viruses are found by clamav with no problems. One or two slip past and are picked up by trend. Which version of clamav. We had this issue before we installed 0.73. Still checking if it's OK in 0.73 Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
OK. It's .72, I remeber reading somewhere it was an issue in 0.70 but had been fixed. (and osrry to all for not inluding version numbers. Due to resource restraints (read: there is only one of me) I tend to rely on debian packages. A report of this issue being fixed 0.73 is enough for me to hold out for the debian package to hit testing (where I nabbing my clamav packages from). Thanks Bill. If things are still the same after .73, I'll wave a chicken in the air then re-email the issue. :) Stewart On Wed, 2004-06-30 at 11:07 +1000, Bill Maidment wrote: Stewart James wrote: OK here is the situation. I have clamav-daemon which is run before trend micro's vscan. The majority of viruses are found by clamav with no problems. One or two slip past and are picked up by trend. Which version of clamav. We had this issue before we installed 0.73. Still checking if it's OK in 0.73 Cheers Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Stewart James wrote: OK. It's .72, I remeber reading somewhere it was an issue in 0.70 but had been fixed. (and osrry to all for not inluding version numbers. Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 because of a Proxy issue, so I can't confirm if it actually did get fixed there. Bill ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] ClamAV not detecting all viruses
Hmmm.. it was supposed to have been fixed in 0.72, we couldn't use 0.72 because of a Proxy issue, so I can't confirm if it actually did get fixed there. Well it's a 3 day wait (OK a couple more becuase that falls on a weekend here). I will see if 0.73 resolves it for me, if not, I can start looking at why not of it all. I will let the list know the outcome :) Cheers, Stewart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
