I'm not sure if this is what he's refering to, but most (all?) of the ClamAV filters I've seen posted for Xmail will not catch all test virus samples from places like http://www.webmail.us/testvirus
In order to catch all of them, the filters need to strip Xmail's special header information (strip everything up to and including <<MAIL-DATA>>), and add a "Return-Path" header to the top before scanning. Chris L. Franklin wrote: >Jeffrey Laramie wrote: > > > >>On Friday 21 October 2005 06:01, jonn ah wrote: >> >> >> >> >>>hi all, >>> >>>Can anybody tell me which av filters (clamav) works on >>>xmail? I followed chris franklin's directions on his >>>av filter with xmail but it doesnt detect eicar's test >>>virus when i send it thru xmail... >>> >>> >>> >>> >>This page has a list of XMail filters at the bottom. Check out the links to >>see which AV programs they support: >> >>http://www.ubaight.com/xmail/index.html >> >>If you're using Lindeman's Antivirus Filter there are instructions for Linux >>here: >> >>http://www.ubaight.com/xmail/xmailhandbook.html#Lindeman >> >>Jeff >>- >>To unsubscribe from this list: send the line "unsubscribe xmail" in >>the body of a message to [EMAIL PROTECTED] >>For general help: send the line "help" in the body of a message to >>[EMAIL PROTECTED] >> >> >> >> >> > >I don't mean to be rude or anything. But if the script isn't catching >virus' right then you probably don't have have > >A) ClamD running and configured right >B) You don't have the script installed right > >Heres the log from the test virus' I just sent > >Fri Oct 21 08:50:21 2005 -> /tmp/msrva5bfdbb0.16f90.tmp: >Eicar-Test-Signature FOUND >Fri Oct 21 08:51:05 2005 -> /tmp/msrva5bfdbb0.1701d.tmp: >Eicar-Test-Signature FOUND >Fri Oct 21 08:51:25 2005 -> /tmp/msrva5bfdbb0.1705b.tmp: >Eicar-Test-Signature FOUND >Fri Oct 21 08:52:25 2005 -> /tmp/msrva5bfdbb0.17111.tmp: >Eicar-Test-Signature FOUND >Fri Oct 21 08:56:11 2005 -> /tmp/msrva5bfdbb0.173bb.tmp: >Eicar-Test-Signature FOUND > >The Script is to simple to really cuase any problem > >[Code] >#!/bin/bash >### Config >File=$1 >RejFile=$File".rej" >RemoteAddress=$2 >Authuser=$3 >timestamp=`date +%s` >date=`date +%Y%m%d000` >nowtime=`date +%r` > >### Doing Stuff >ClamAV='clamdscan --no-summary --stdout ' >run=`$ClamAV $File` >Found=`echo "$run" | awk '{print $3}'` >Virus=`echo "$run" | awk '{print $2}'` > >### Log >echo "$nowtime $RemoteAddress $Authuser $Virus" >> >/var/MailRoot/logs/anti-virus-$date > >### Exiting >if [ $Found ]; then > echo "550 Virus : $Virus Found in Email " > $RejFile > exit 3 >fi >[/Code] > >And the Filter code is just as easy. > >/var/MailRoot/filters.post-data.tab > >[Code] >"/var/MailRoot/filters/anti-virus.sh" "@@FILE" "@@REMOTEADDR" >"@@USERAUTH" >[/Code] > > > > > - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
