1. >> We haven't detected a trailing backslash issue with clamdscan.exe being called from Declude. <<
My Declude creates a temporary folder C:\imail\spool\proc\work\Dxxxxxxxxxxxxxx.vir\ where it "unravels" the nested MIME attachments that belong to a single mail as individual files and then it attempts to scan the entire temporary folder content by launching: CLAMDSCAN.EXE -v --no-summary -l report.txt C:\imail\spool\proc\work\Dxxxxxxxxxxxxxx.vir\ The problem is that the W32.ClamAV.net build will return "No such file or directory" (under Windows 2003) if you pass a trailing slash. It WOULD work and scan the entire folder ONLY if the trailing backslash is omitted. I'm curious - in your system, what happens when you do: ClamDScan c:\windows\ vs. ClamDScan c:\windows 2. Your page http://www.armresearch.com/tools/arm/clamAID.jsp states: "Navigate to the <mail-application>\declude\ directory under Imail or Smartermail. Find the virus.cfg file. The file should now have an entry: #CLAMAV_CLAMAID SCANFILE D:\PROGRA~1\ClamAV\CLAMDS~1.EXE -v --config-file="D:\PROGRA~1\ClamAV\conf\clamd.conf" --no-summary -l D:\PROGRA~1\ClamAV\log\report.txt VIRUSCODE 1" If this is true, then on a busy server, multiple concurrent ClamAV processes would be attempting to write into the SAME "report.txt" file in the CLAMAV program files folder - causing concurrency problems or "locked file" problems. The best approach would be to leave out the path information and let ClamAV create a unique Report.txt file in the distinct temporary folder that is created for each message! >> I have read about this in some reports, and I've used the Declude recommended call for calling Clam... I'd like more information if you have << The ClamAV report file will have the following format: -------------------------------------- C:\Maintenance\Eicar.com: Eicar-Test-Signature FOUND Declude will parse that Report.txt file and NOT expect to see the "---" divider line AND will look for the word "FOUND" and expect the virus name AFTER the search token "FOUND". Consequently the parsing will fail. Declude WILL recognize the error level and know that the email was infected, but neither the Declude log NOR the virus notification emails will report a sensible virus name. >> So the correct view of what is happening should be being logged on the ClamAV side, if not fully transparent through Declude. << The virus notification emails are wrong and those of us who generate anti-virus reports by scanning the declude virus logfiles will get nonsense reporting. >> if you have it on your specific solution of the name-dissconnect << Well, it's fairly simply. The script I had sent in my post two days ago does the following: a) trim the trailing backslash from the path if any is found b) read and parse the ClamAV report.txt file and outputs a new Report.txt file that uses a format that's parsable by Declude. Best Regards, Andy Schmidt ############################################################# This message is sent to you because you are subscribed to the mailing list <sniffer@sortmonster.com>. To unsubscribe, E-mail to: <sniffer-...@sortmonster.com> To switch to the DIGEST mode, E-mail to <sniffer-dig...@sortmonster.com> To switch to the INDEX mode, E-mail to <sniffer-in...@sortmonster.com> Send administrative queries to <sniffer-requ...@sortmonster.com>