You need to set a high priority for the meta rules as otherwise they are evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in how SA works, but I eventually came up with the following solution (for using several different 3rd party clamav signatures):
This is my clamav.cf file: loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 # Look for specific types of ClamAV detections header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ # Give the above rules a very late priority so that they can see the output # of previous rules - otherwise they don't work! Not sure what the correct # priority should be but this seems to work... priority __CLAMAV_PHISH 9999 priority __CLAMAV_SANE 9999 priority __CLAMAV_MBL 9999 priority __CLAMAV_MSRBL 9999 # Work out what ClamAV detected and score accordingly meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE && !__CLAMAV_MBL && !__CLAMAV_MSRBL) describe CLAMAV_VIRUS Virus found by ClamAV default signatures score CLAMAV_VIRUS 20.0 meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE) describe CLAMAV_PHISH Phishing email found by ClamAV default signatures score CLAMAV_PHISH 10.0 meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE) describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures score CLAMAV_SANE 7.5 meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL) describe CLAMAV_MBL Malware found by ClamAV MBL signatures score CLAMAV_MBL 7.5 meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL) describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures score CLAMAV_MSRBL 2.0 In your case you could fix what you have done (which looks to be taken from one of my previous messages while trying to get this to work myself?) by making it: header __MY_CLAMAV X-Spam-Virus =~ /Yes/i priorty __MY_CLAMAV 9999 header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i priorty __MY_CLAMAV_SANE 9999 meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) score MY_CLAMAV_SANE 5 Hope this helps! -- View this message in context: http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a11763227 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.