Re: Problem with clamav plugin

Tue, 24 Jul 2007 06:43:54 -0700 

You need to set a high priority for the meta rules as otherwise they are
evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in
how SA works, but I eventually came up with the following solution (for
using several different 3rd party clamav signatures):

This is my clamav.cf file:

loadplugin ClamAV clamav.pm 
full CLAMAV eval:check_clamav() 
describe CLAMAV Clam AntiVirus detected something... 
score CLAMAV 0.001 

# Look for specific types of ClamAV detections 
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i 
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i 
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ 
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ 

# Give the above rules a very late priority so that they can see the output 
# of previous rules - otherwise they don't work! Not sure what the correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 9999 
priority __CLAMAV_SANE 9999 
priority __CLAMAV_MBL 9999 
priority __CLAMAV_MSRBL 9999 

# Work out what ClamAV detected and score accordingly 
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE &&
!__CLAMAV_MBL && !__CLAMAV_MSRBL) 
describe CLAMAV_VIRUS Virus found by ClamAV default signatures 
score CLAMAV_VIRUS 20.0 

meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE) 
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures 
score CLAMAV_PHISH 10.0 

meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE) 
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures 
score CLAMAV_SANE 7.5 

meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL) 
describe CLAMAV_MBL Malware found by ClamAV MBL signatures 
score CLAMAV_MBL 7.5 

meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL) 
describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures 
score CLAMAV_MSRBL 2.0 



In your case you could fix what you have done (which looks to be taken from
one of my previous messages while trying to get this to work myself?) by
making it:

header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priorty __MY_CLAMAV 9999
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priorty __MY_CLAMAV_SANE 9999
meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE) 
score MY_CLAMAV_SANE 5 


Hope this helps!
-- 
View this message in context: 
http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a11763227
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Reply via email to