Scott Lambert wrote:
> [...]
> There is also trashscan in the clamav source tarball. It at least
> doesn't seem to require perl.
Yes, that's on the contrib page.
> But I'm doing ok with just the --mbox option. It's not perfect, but we
> have never guaranteed our customers "no viruses". It gets a very large
> percentage of the current crop and keeps our support questions down.
>
> If I had more CPU on the mail server, I would try harder to do it right.
THIS IS ALL PROBABLY HIGHLY VERSION DEPENDENT! I think clam is great, so
don't want anybody to think this is any more than my prolonged
experience in discovering the joys of reading (and heeding) the fine
manpage.
Just to fast-motion what was a few days' frustration for me:
--- begin fast-motion replay ---
I'm using the precompiled binaries for Debian testing (sarge):
# clamscan -V
clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916
OK, try this:
1. Find a copy of a message in mbox format infected with Bagle, and test
it with something you know WILL find it:
# f-prot msg.8AIB
Virus scanning report - 8 March 2004 @ 12:43
[...]
/home/spamd/VirusArchive/msg.8AIB->cda.zip->wleqncmf.exe Infection:
W32/Bagle.C@mm
[...]
2. Try calling it via stdin with --mbox:
# cat msg.8AIB| clamscan --stdout --disable-summary --mbox -
/tmp/4754c17f704e4cf3/Jennyqa4dsY: OK
/tmp/4754c17f704e4cf3/daadb.zipQPhDd4.zip: Worm.Bagle.A3 FOUND
(at this point, I thought I was done. I merrily posted to this list
crying Eureka!)
3. Read the caveat on the manpage about --mbox. Heed several posters
calling attention to it. Try calling it via stdin without --mbox (i.e.
:0 b procmail recipes):
# cat msg.8AIB| clamscan --stdout --disable-summary -
stdin: OK
(at this point, I realized avoiding --mbox would be a problem.)
4. Try scanning that same file with clamav with the --mbox option:
# clamscan --stdout --disable-summary --mbox msg.8AIB
msg.8AIB: OK
(at this point, we'd meandered down a procmail exercise in futility.)
5. Un-encode the message attachments and scan:
# cat ../msg.8AIB | munpack
munpack: reading from standard input
tempdesc.txt: File exists
cda.zip (application/octet-stream)
# clamdscan --stdout --disable-summary
/home/spamd/VirusArchive/bageltest/cda.zip: Worm.Bagle.A3 FOUND
(at this point, I'd read enough to have the impression that scanning
files (not stdin) *WITHOUT* --mbox is probably a safe bet.)
--- end fast-motion replay ---
In short: Calling clamscan/clamdscan from procmail (or rather, scanning
stdin and/or the --mbox option) may yield unexpected results which can
be a problem with anti-virus.
I decided to start cross-checking results to play it safe, so installed
f-prot and bitdefender (both for my debian 386 install). (I realize this
isn't a scalable ISP solution.) They each are called in very different
ways, and yield very different results. I also realized that though very
powerful, procmail was not necessariliy the best tool for this job (not
to say it can't be done), so I started on those shell scripts I
mentioned previously.
I since discovered Jame Lick's clamassassin script
(
http://drivel.com/clamassassin/) which uses a similar approach (save
and scan message as file), and I prefer his embedded header (ala'
spamassassin) approach. I still plan to incorporate decoding of
mime-encoded messages just to play safe. I've created a version for
f-prot and am working on one for bitdefender. It's worth mentioning that
bitdefender is happiest when scanning unencoded files as well, so all
this extra effort is worth it for me.
At this point, both clamav and f-prot are working (bitdefender to
follow), inserting X-Virus-Status-<name>: and X-Virus-Report-<name>:
headers. Initial tests with a handful of viruses indicate that both
work, but each misses some the other doesn't.
I'm still testing with testvirus.org.
- Bob