RE: Re: Problem with clamav plugin
You place the databases in the /var/lib/clamav (same default dir as the standard databases for clamav). Reload clamav or wait till freshclam kicks in. /Jeroen On Tue, 31 Jul 2007, Sujit Acharyya-Choudhury wrote: Thanks for the reply. How do you configure the databases) downloaded from Sanesecurity for use with spamassassin? Many thanks Sujit -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: 30 July 2007 20:04 To: users@spamassassin.apache.org Subject: Re: Problem with clamav plugin Sujit Acharyya-Choudhury wrote: I am using clamav as our virus scanner on our mail gateway (exim). This seems to discard lot of e-mails. Is there any benefit of using clamav for spamassassin from Sanesecurity? There's no such thing. If you meant the plugin, the answer is no; Exim will stop anything detected as virus and the plugin will never receive one (it just wastes time). If you meant using the databases from Sanesecurity, the answer is yes. They add spam and additional phishing detection that clamd uses. -- René Berber
RE: Re: Problem with clamav plugin
Thanks for the reply. How do you configure the databases) downloaded from Sanesecurity for use with spamassassin? Many thanks Sujit -Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of René Berber Sent: 30 July 2007 20:04 To: users@spamassassin.apache.org Subject: Re: Problem with clamav plugin Sujit Acharyya-Choudhury wrote: > I am using clamav as our virus scanner on our mail gateway (exim). > This seems to discard lot of e-mails. Is there any benefit of using > clamav for spamassassin from Sanesecurity? There's no such thing. If you meant the plugin, the answer is no; Exim will stop anything detected as virus and the plugin will never receive one (it just wastes time). If you meant using the databases from Sanesecurity, the answer is yes. They add spam and additional phishing detection that clamd uses. -- René Berber
Re: Problem with clamav plugin
Sujit Acharyya-Choudhury wrote: > I am using clamav as our virus scanner on our mail gateway (exim). This > seems to discard lot of e-mails. Is there any benefit of using clamav > for spamassassin from Sanesecurity? There's no such thing. If you meant the plugin, the answer is no; Exim will stop anything detected as virus and the plugin will never receive one (it just wastes time). If you meant using the databases from Sanesecurity, the answer is yes. They add spam and additional phishing detection that clamd uses. -- René Berber
RE: Problem with clamav plugin
I am using clamav as our virus scanner on our mail gateway (exim). This seems to discard lot of e-mails. Is there any benefit of using clamav for spamassassin from Sanesecurity? Regards Sujit -Original Message- From: OliverScott [mailto:[EMAIL PROTECTED] Sent: 24 July 2007 14:44 To: users@spamassassin.apache.org Subject: Re: Problem with clamav plugin You need to set a high priority for the meta rules as otherwise they are evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in how SA works, but I eventually came up with the following solution (for using several different 3rd party clamav signatures): This is my clamav.cf file: loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 # Look for specific types of ClamAV detections header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ # Give the above rules a very late priority so that they can see the output # of previous rules - otherwise they don't work! Not sure what the correct # priority should be but this seems to work... priority __CLAMAV_PHISH priority __CLAMAV_SANE priority __CLAMAV_MBL priority __CLAMAV_MSRBL # Work out what ClamAV detected and score accordingly meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL) describe CLAMAV_VIRUS Virus found by ClamAV default signatures score CLAMAV_VIRUS 20.0 meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE) describe CLAMAV_PHISH Phishing email found by ClamAV default signatures score CLAMAV_PHISH 10.0 meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE) describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures score CLAMAV_SANE 7.5 meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL) describe CLAMAV_MBL Malware found by ClamAV MBL signatures score CLAMAV_MBL 7.5 meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL) describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures score CLAMAV_MSRBL 2.0 In your case you could fix what you have done (which looks to be taken from one of my previous messages while trying to get this to work myself?) by making it: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i priorty __MY_CLAMAV header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i priorty __MY_CLAMAV_SANE meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) score MY_CLAMAV_SANE 5 Hope this helps! -- View this message in context: http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a1176322 7 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with clamav plugin
On 7/24/07, OliverScott <[EMAIL PROTECTED]> wrote: You need to set a high priority for the meta rules as otherwise they are evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in how SA works, but I eventually came up with the following solution (for using several different 3rd party clamav signatures): This is my clamav.cf file: loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 # Look for specific types of ClamAV detections header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ [snip] While playing with this, I found that I needed to change my rules a little. Some of the Sane security sigs were being picked up as viruses, due to the "Sanesecurity" string being 22 (or so) characters away from the Yes at the start of the X-Spam-Virus header. header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/ Thanks for your work on this, and hopefully this reduces false positives for some folks.
Re: Problem with clamav plugin
On 07/24/07 15:43, OliverScott wrote: full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 If you don't want CLAMAV to score (high), apparently you can rename it to __CLAMAV, works fine here. To make the meta rule work too, I had to give it a higher priority number than the header rules, so that my working clamav.cf is now: loadplugin ClamAV /etc/mail/spamassassin/clamav.pm full __CLAMAV eval:check_clamav() describe __CLAMAV Clam AntiVirus detected a virus header __MY_CLAMAV X-Spam-Virus =~ /Yes/i priority __MY_CLAMAV 9998 header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i priority __MY_CLAMAV_SANE 9998 meta MY_CLAMAV_SANE (__CLAMAV && __MY_CLAMAV_SANE) priority MY_CLAMAV_SANE score MY_CLAMAV_SANE 5 wolfgang
Re: Problem with clamav plugin
On 07/24/07 15:43, OliverScott wrote: You need to set a high priority for the meta rules as otherwise they are evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in how SA works, but I eventually came up with the following solution (for using several different 3rd party clamav signatures): In your case you could fix what you have done (which looks to be taken from one of my previous messages while trying to get this to work myself?) by making it: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i priority __MY_CLAMAV header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i priority __MY_CLAMAV_SANE meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) score MY_CLAMAV_SANE 5 (typo fixed) Hope this helps! Yes, it does! Thanks a lot, wolfgang
Re: Problem with clamav plugin
You need to set a high priority for the meta rules as otherwise they are evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in how SA works, but I eventually came up with the following solution (for using several different 3rd party clamav signatures): This is my clamav.cf file: loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 # Look for specific types of ClamAV detections header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ # Give the above rules a very late priority so that they can see the output # of previous rules - otherwise they don't work! Not sure what the correct # priority should be but this seems to work... priority __CLAMAV_PHISH priority __CLAMAV_SANE priority __CLAMAV_MBL priority __CLAMAV_MSRBL # Work out what ClamAV detected and score accordingly meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL) describe CLAMAV_VIRUS Virus found by ClamAV default signatures score CLAMAV_VIRUS 20.0 meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE) describe CLAMAV_PHISH Phishing email found by ClamAV default signatures score CLAMAV_PHISH 10.0 meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE) describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures score CLAMAV_SANE 7.5 meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL) describe CLAMAV_MBL Malware found by ClamAV MBL signatures score CLAMAV_MBL 7.5 meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL) describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures score CLAMAV_MSRBL 2.0 In your case you could fix what you have done (which looks to be taken from one of my previous messages while trying to get this to work myself?) by making it: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i priorty __MY_CLAMAV header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i priorty __MY_CLAMAV_SANE meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) score MY_CLAMAV_SANE 5 Hope this helps! -- View this message in context: http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a11763227 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Problem with clamav plugin
In SA 3.1.8, I am trying to use the clamav plugin from http://wiki.apache.org/spamassassin/ClamAVPlugin spamassassin -t -D output includes dbg: ClamAV: Detected virus: Email.Stk.Gen596.Sanesecurity.07071900.pdf It adds a header X-Spam-Virus: Yes (Email.Stk.Gen596.Sanesecurity.07071900.pdf) allright, but additional rules to check for sanesecurity "virus" names are not matched. Rules: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) score MY_CLAMAV_SANE 5 Any suggestions what is going wrong? Regards, wolfgang
Re: Problem with ClamAV plugin.
At 03:09 PM 12/21/2004, Cameron Bales wrote: I'm running CGPSA 1.4f4 under Communigate 4.2.7 and SpamAssassin 3.0.1. I've installed ClamAV 0.8 and the SpamAssassin ClamAV plugin as described here: http://wiki.apache.org/spamassassin/ClamAVPlugin I get the following error in my mail headers: X-Spam-Virus: Error (Cannot connect to 'localhost:3310': IO::Socket::INET: connect: Invalid argument) I know SpamAssassin is working fine, Clamscan works for files. My testing server is behind a firewall and has no firewall of its own so port 3310 is open. Did you start clamd? Have you modified clamd.conf to uncomment the "TCPSocket 3310" line? It appears this module uses clamd to do it's work, and does so with a non-default setting for clamd, but nobody documented that in the wiki...
Problem with ClamAV plugin.
Hi. I'm running CGPSA 1.4f4 under Communigate 4.2.7 and SpamAssassin 3.0.1. I've installed ClamAV 0.8 and the SpamAssassin ClamAV plugin as described here: http://wiki.apache.org/spamassassin/ClamAVPlugin I get the following error in my mail headers: X-Spam-Virus: Error (Cannot connect to 'localhost:3310': IO::Socket::INET: connect: Invalid argument) I know SpamAssassin is working fine, Clamscan works for files. My testing server is behind a firewall and has no firewall of its own so port 3310 is open. Any suggestions would be appreciated! Cameron .:. -- Cameron Bales .:. www.bales.ca [EMAIL PROTECTED] [EMAIL PROTECTED]