Mailing List Archive

On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
> :0w
>
> VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -

I found that I had to removed the "w" from ":0w" to get this to work. Don't
know why.

--
Give a man a match, and he'll be warm for a minute, but set him on
fire, and he'll be warm for the rest of his life.

Advanced SPAM filtering software: http://spamassassin.org

On Monday 08 March 2004 05:04 am, Bob George wrote:

> Yes, we went through that last time around. But there were still issues
> with reading from stdin reliably.

Searching through the archives, this seems to be a problem on BSD, but not
Linux. Have you encountered this problem on Linux?


--
Give a man a match, and he'll be warm for a minute, but set him on
fire, and he'll be warm for the rest of his life.

Advanced SPAM filtering software: http://spamassassin.org

I found this while digging in the archives for hints on how to set up
Clamav. I have been testing it for a few days now with no problems

# Scan for viruses
:0w
VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -

:0hfw
* VIRUS ?? ^.*: \/.* FOUND
| formail -A "X-Virus-Status: Yes, $MATCH"

:0Ehfw
| formail -A "X-Virus-Status: No"

# Move Positives to quarantine
:0:
* ^X-Virus-Status: Yes
/home/ed/mail/quarantine


At 7:49pm +0000 3/7/04, Matthew Cline wrote:

>For those of you who are using SA with procmail, and also want to do virus
>filtering, you can install/config ClamAV (http://www.clamav.net/), then add
>these lines to your procmailrc file:
>
> :0wc
> | clamdscan -
>
> :0efw
> | formail -b -f -t -I "X-Clamav-status: yes"
>
>This will add "X-Clamav-status: yes" to anything message that is found to have
>a virus, of causes clamdscan to generate an error. Someone who's better at
>procmail than I could change the ":0efw" rule so that it only goes into
>effect if the return code of "clamdscan" is 1 (0 = no virus, 1 = virus, 2 =
error).

Ed Kasky

Randomly Generated Quote:
"Who is rich? He that is content. Who is that? Nobody."
--Benjamin Franklin

Matthew Cline wrote:

> For those of you who are using SA with procmail, and also want to do
> virus filtering, you can install/config ClamAV
> (http://www.clamav.net/), then add these lines to your procmailrc file:
>
> :0wc
> | clamdscan -
>
> :0efw
> | formail -b -f -t -I "X-Clamav-status: yes"
>
> This will add "X-Clamav-status: yes" to anything message that is found
> to have a virus, of causes clamdscan to generate an error. Someone
> who's better at procmail than I could change the ":0efw" rule so that
> it only goes into effect if the return code of "clamdscan" is 1 (0 =
> no virus, 1 = virus, 2 = error).
>
>
Matthew,

I spent some time working with exactly this (calling clamdscan directly
from procmail) and ran into some inconsistencies. In some (brief)
research. Apparently, there are some issues (perhaps best discussed on
the clamav list) calling clamdscan to check stdin.

When I fed test messages in via procmail, all seemed OK. But "clamdscan
- < testmessage" wasn't always consistent. At least enough so I wasn't
comfortable using that approach. Have you tested this thoroughly?
Instead, I'm sticking to wrapper scripts to extract files, then scan.
(I'm also using f-prot for cross-checking).

The whole ugly saga can be found in the archives for this and the
procmail lists. :(

Don't get me wrong. Clamav is a WONDERFUL tool. There just seem to be
caveats about using to scan mail files -- perhaps with varying
encodings? -- via stdin, and with the --mbox option.

- Bob

Matthew Cline wrote:

>On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
>
>
>>:0w
>>
>>VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -
>>
>>
>
>I found that I had to removed the "w" from ":0w" to get this to work. Don't
>know why.
>
>
Yes, we went through that last time around. But there were still issues
with reading from stdin reliably.

- Bob

At 12:04am -0500 3/8/04, Bob George wrote:

>Matthew Cline wrote:
>
>>On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
>>
>>
>>>:0w
>>>
>>>VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -
>>>
>>>
>>
>>I found that I had to removed the "w" from ":0w" to get this to
>>work. Don't know why.
>>
>>
>Yes, we went through that last time around. But there were still
>issues with reading from stdin reliably.

Have you tried setting up ClamAv-Milter to scan at the MTA? After
reading the concerns about reliability, I went back and did some more
reading of the Clamav archives. It seems the more reliable of the 2
implementations.


Ed Kasky

Randomly Generated Quote:
"Washington is a city of Southern efficiency and Northern charm."
--John Fitzgerald Kennedy

Ed Kasky wrote:

> [...]
> Have you tried setting up ClamAv-Milter to scan at the MTA? After
> reading the concerns about reliability, I went back and did some more
> reading of the Clamav archives. It seems the more reliable of the 2
> implementations.

No, I haven't gone that far. I'm doing other testing, so calling the
script to extract, then scan is working well. I just wanted to point out
that direct-from-procmail is attractive, but has drawbacks.

- Bob

Matthew Cline wrote:

>[...]
>Searching through the archives, this seems to be a problem on BSD, but not
>Linux. Have you encountered this problem on Linux?
>
>
Yes, Linux here. Someone reported problem on BSD and I reproduced it.
Message fed thru procmail and virus was detected fine. But if fed thru
same command on command line, it failed. Got varying results, so end
result was: Everything I read indicated scanning files was "preferred."

We went through a LONG process of optimizing the calls, both on this
list, and on procmail list. Wound up sticking with a shell wrapper
script to extract and scan.

- Bob

On Monday 08 March 2004 04:41 pm, Morris Jones wrote:
> On Sun, 7 Mar 2004, Matthew Cline wrote:
> > On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
> > > :0w
> > >
> > > VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -
> >
> > I found that I had to removed the "w" from ":0w" to get this to work.
> > Don't know why.
>
> Are you sure that's working? I couldn't use clamdscan with the --mbox
> option, and had to change it to clamscan, among other problems. I need
> to document all that.

Since "clamdscan" uses the daemon, you'll need to enable ScanMail, ScanArchive
and StreamSaveToDisk in clamav.conf; check to see that these are eneabled.


--
Give a man a match, and he'll be warm for a minute, but set him on
fire, and he'll be warm for the rest of his life.

Advanced SPAM filtering software: http://spamassassin.org

On Mon, 8 Mar 2004, Bob George wrote:
> We went through a LONG process of optimizing the calls, both on this
> list, and on procmail list. Wound up sticking with a shell wrapper
> script to extract and scan.

Please forgive my flakey memory: Was that a shell wrapper that could be
called from within procmail? Is so, URL pls?

- CG

Charles Gregory wrote:
> [...]
> Please forgive my flakey memory: Was that a shell wrapper that could be
> called from within procmail? Is so, URL pls?

I wrote up my own, but there are at least two alternatives I found
elsewhere: clamstream.sh (origin unknown, and no google joy) and
clamfilter.pl (http://www.everysoft.com/clamfilter.html). I did my own
because I wanted ONE WAY to call various anti-virus programs (simliar to
MailScanner) directly from procmail, and get ONE SET of return values.
My scripts aren't quite ready for public consumption yet.

Depending on your needs, other alternatives for clam are at
http://www.clamav.net/contrib.html#pagestart

I just found clamassassin at http://drivel.com/clamassassin/ but haven't
tried it yet. It may be better than my solution.

There's a thread on this topic on the procmail list, so it may be more
appropriate to continue this discussion there.

- Bob

On Sun, 7 Mar 2004, Matthew Cline wrote:

> On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
> > :0w
> >
> > VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -
>
> I found that I had to removed the "w" from ":0w" to get this to work. Don't
> know why.

Are you sure that's working? I couldn't use clamdscan with the --mbox
option, and had to change it to clamscan, among other problems. I need
to document all that.

Actually I took a perl script called ClamFilter by Matt Hahnfeld and
modified it a bit (did I fix a bug? I can't remember ...) for scanning
within procmail. It was the only way I could get clamav filtering to
work within procmail.

Mojo
--
Morris Jones <*>
Monrovia, CA
mojo@whiteoaks.com
http://www.whiteoaks.com

On Mon, Mar 08, 2004 at 11:19:13AM -0500, Bob George wrote:
> Charles Gregory wrote:
> >[...]
> >Please forgive my flakey memory: Was that a shell wrapper that could be
> >called from within procmail? Is so, URL pls?
>
> I wrote up my own, but there are at least two alternatives I found
> elsewhere: clamstream.sh (origin unknown, and no google joy) and
> clamfilter.pl (http://www.everysoft.com/clamfilter.html). I did my own
> because I wanted ONE WAY to call various anti-virus programs (simliar to
> MailScanner) directly from procmail, and get ONE SET of return values.
> My scripts aren't quite ready for public consumption yet.

There is also trashscan in the clamav source tarball. It at least
doesn't seem to require perl.

But I'm doing ok with just the --mbox option. It's not perfect, but we
have never guaranteed our customers "no viruses". It gets a very large
percentage of the current crop and keeps our support questions down.

If I had more CPU on the mail server, I would try harder to do it right.

--
Scott Lambert KC5MLE Unix SysAdmin
lambert@lambertfam.org

On Monday 08 March 2004 08:19 am, Bob George wrote:
> Charles Gregory wrote:
> > [...]
> > Please forgive my flakey memory: Was that a shell wrapper that could be
> > called from within procmail? Is so, URL pls?
>
> I wrote up my own, but there are at least two alternatives I found
> elsewhere: clamstream.sh (origin unknown, and no google joy) and
> clamfilter.pl (http://www.everysoft.com/clamfilter.html). I did my own
> because I wanted ONE WAY to call various anti-virus programs (simliar to
> MailScanner) directly from procmail, and get ONE SET of return values.
> My scripts aren't quite ready for public consumption yet.
>
> Depending on your needs, other alternatives for clam are at
> http://www.clamav.net/contrib.html#pagestart
>
> I just found clamassassin at http://drivel.com/clamassassin/ but haven't
> tried it yet. It may be better than my solution.
>
> There's a thread on this topic on the procmail list, so it may be more
> appropriate to continue this discussion there.
>
> - Bob


Attached is what I use. I put it together from many different ideas and
barowed code from a few palces. it works well.

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-

Scott Lambert wrote:
> [...]
> There is also trashscan in the clamav source tarball. It at least
> doesn't seem to require perl.

Yes, that's on the contrib page.

> But I'm doing ok with just the --mbox option. It's not perfect, but we
> have never guaranteed our customers "no viruses". It gets a very large
> percentage of the current crop and keeps our support questions down.
>
> If I had more CPU on the mail server, I would try harder to do it right.

THIS IS ALL PROBABLY HIGHLY VERSION DEPENDENT! I think clam is great, so
don't want anybody to think this is any more than my prolonged
experience in discovering the joys of reading (and heeding) the fine
manpage.

Just to fast-motion what was a few days' frustration for me:

--- begin fast-motion replay ---

I'm using the precompiled binaries for Debian testing (sarge):

# clamscan -V
clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916

OK, try this:

1. Find a copy of a message in mbox format infected with Bagle, and test
it with something you know WILL find it:

# f-prot msg.8AIB
Virus scanning report - 8 March 2004 @ 12:43

[...]
/home/spamd/VirusArchive/msg.8AIB->cda.zip->wleqncmf.exe Infection:
W32/Bagle.C@mm
[...]

2. Try calling it via stdin with --mbox:

# cat msg.8AIB| clamscan --stdout --disable-summary --mbox -
/tmp/4754c17f704e4cf3/Jennyqa4dsY: OK
/tmp/4754c17f704e4cf3/daadb.zipQPhDd4.zip: Worm.Bagle.A3 FOUND

(at this point, I thought I was done. I merrily posted to this list
crying Eureka!)

3. Read the caveat on the manpage about --mbox. Heed several posters
calling attention to it. Try calling it via stdin without --mbox (i.e.
:0 b procmail recipes):

# cat msg.8AIB| clamscan --stdout --disable-summary -
stdin: OK

(at this point, I realized avoiding --mbox would be a problem.)

4. Try scanning that same file with clamav with the --mbox option:

# clamscan --stdout --disable-summary --mbox msg.8AIB
msg.8AIB: OK

(at this point, we'd meandered down a procmail exercise in futility.)

5. Un-encode the message attachments and scan:
# cat ../msg.8AIB | munpack
munpack: reading from standard input
tempdesc.txt: File exists
cda.zip (application/octet-stream)

# clamdscan --stdout --disable-summary
/home/spamd/VirusArchive/bageltest/cda.zip: Worm.Bagle.A3 FOUND

(at this point, I'd read enough to have the impression that scanning
files (not stdin) *WITHOUT* --mbox is probably a safe bet.)

--- end fast-motion replay ---

In short: Calling clamscan/clamdscan from procmail (or rather, scanning
stdin and/or the --mbox option) may yield unexpected results which can
be a problem with anti-virus.

I decided to start cross-checking results to play it safe, so installed
f-prot and bitdefender (both for my debian 386 install). (I realize this
isn't a scalable ISP solution.) They each are called in very different
ways, and yield very different results. I also realized that though very
powerful, procmail was not necessariliy the best tool for this job (not
to say it can't be done), so I started on those shell scripts I
mentioned previously.

I since discovered Jame Lick's clamassassin script
(http://drivel.com/clamassassin/) which uses a similar approach (save
and scan message as file), and I prefer his embedded header (ala'
spamassassin) approach. I still plan to incorporate decoding of
mime-encoded messages just to play safe. I've created a version for
f-prot and am working on one for bitdefender. It's worth mentioning that
bitdefender is happiest when scanning unencoded files as well, so all
this extra effort is worth it for me.

At this point, both clamav and f-prot are working (bitdefender to
follow), inserting X-Virus-Status-<name>: and X-Virus-Report-<name>:
headers. Initial tests with a handful of viruses indicate that both
work, but each misses some the other doesn't.

I'm still testing with testvirus.org.

- Bob

Brook Humphrey wrote:
> [...]
> Attached is what I use. I put it together from many different ideas and
> barowed code from a few palces. it works well.

That's the approach I've gone with: un-encode and scan files. (I'm using
munpack, but same idea.) It seems to be the one approach that works with
the virus scanners I've encountered so far.

It may break down when/if new worm/virus patterns emerge that are highly
dependent on the message itself for detection... but then so will the
scanners.

- Bob

On Mon, 8 Mar 2004, Morris Jones wrote:

> On Sun, 7 Mar 2004, Matthew Cline wrote:
>
> > On Monday 08 March 2004 04:14 am, Ed Kasky wrote:
> > > :0w
> > >
> > > VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -
> >
> > I found that I had to removed the "w" from ":0w" to get this to work. Don't
> > know why.
>
> Are you sure that's working? I couldn't use clamdscan with the --mbox
> option, and had to change it to clamscan, among other problems. I need
> to document all that.

--mbox works fine here. This is the variation I'm useing, and I believe I'm
the original person who posted the method of useing backticks:

VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -`

:0 Di
* VIRUS ?? FOUND
| /etc/mail/lognul -t Virus


(Where lognul is a program I wrote to log nuked spam from/Subject to an SQl
database).

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/

On Monday 08 March 2004 10:43 am, Bob George wrote:
> Scott Lambert wrote:
> > [...]
> > There is also trashscan in the clamav source tarball. It at least
> > doesn't seem to require perl.
>
> Yes, that's on the contrib page.
>
> > But I'm doing ok with just the --mbox option. It's not perfect, but we
> > have never guaranteed our customers "no viruses". It gets a very large
> > percentage of the current crop and keeps our support questions down.
> >
> > If I had more CPU on the mail server, I would try harder to do it right.
>
> THIS IS ALL PROBABLY HIGHLY VERSION DEPENDENT! I think clam is great, so
> don't want anybody to think this is any more than my prolonged
> experience in discovering the joys of reading (and heeding) the fine
> manpage.
>
> Just to fast-motion what was a few days' frustration for me:
>
> --- begin fast-motion replay ---
>
> I'm using the precompiled binaries for Debian testing (sarge):
>
> # clamscan -V
> clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916
>
> OK, try this:
>
> 1. Find a copy of a message in mbox format infected with Bagle, and test
> it with something you know WILL find it:
>
> # f-prot msg.8AIB
> Virus scanning report - 8 March 2004 @ 12:43
>
> [...]
> /home/spamd/VirusArchive/msg.8AIB->cda.zip->wleqncmf.exe Infection:
> W32/Bagle.C@mm
> [...]
>
> 2. Try calling it via stdin with --mbox:
>
> # cat msg.8AIB| clamscan --stdout --disable-summary --mbox -
> /tmp/4754c17f704e4cf3/Jennyqa4dsY: OK
> /tmp/4754c17f704e4cf3/daadb.zipQPhDd4.zip: Worm.Bagle.A3 FOUND
>
> (at this point, I thought I was done. I merrily posted to this list
> crying Eureka!)
>
> 3. Read the caveat on the manpage about --mbox. Heed several posters
> calling attention to it. Try calling it via stdin without --mbox (i.e.
>
> :0 b procmail recipes):
>
> # cat msg.8AIB| clamscan --stdout --disable-summary -
> stdin: OK
>
> (at this point, I realized avoiding --mbox would be a problem.)
>
> 4. Try scanning that same file with clamav with the --mbox option:
>
> # clamscan --stdout --disable-summary --mbox msg.8AIB
> msg.8AIB: OK
>
> (at this point, we'd meandered down a procmail exercise in futility.)
>
> 5. Un-encode the message attachments and scan:
> # cat ../msg.8AIB | munpack
> munpack: reading from standard input
> tempdesc.txt: File exists
> cda.zip (application/octet-stream)
>
> # clamdscan --stdout --disable-summary
> /home/spamd/VirusArchive/bageltest/cda.zip: Worm.Bagle.A3 FOUND
>
> (at this point, I'd read enough to have the impression that scanning
> files (not stdin) *WITHOUT* --mbox is probably a safe bet.)
>
> --- end fast-motion replay ---
>
> In short: Calling clamscan/clamdscan from procmail (or rather, scanning
> stdin and/or the --mbox option) may yield unexpected results which can
> be a problem with anti-virus.
>
> I decided to start cross-checking results to play it safe, so installed
> f-prot and bitdefender (both for my debian 386 install). (I realize this
> isn't a scalable ISP solution.) They each are called in very different
> ways, and yield very different results. I also realized that though very
> powerful, procmail was not necessariliy the best tool for this job (not
> to say it can't be done), so I started on those shell scripts I
> mentioned previously.
>
> I since discovered Jame Lick's clamassassin script
> (http://drivel.com/clamassassin/) which uses a similar approach (save
> and scan message as file), and I prefer his embedded header (ala'
> spamassassin) approach. I still plan to incorporate decoding of
> mime-encoded messages just to play safe. I've created a version for
> f-prot and am working on one for bitdefender. It's worth mentioning that
> bitdefender is happiest when scanning unencoded files as well, so all
> this extra effort is worth it for me.
>
> At this point, both clamav and f-prot are working (bitdefender to
> follow), inserting X-Virus-Status-<name>: and X-Virus-Report-<name>:
> headers. Initial tests with a handful of viruses indicate that both
> work, but each misses some the other doesn't.
>
> I'm still testing with testvirus.org.
>
> - Bob

havn't looked at his but I just spent the last few months tracking this down
myself with maildrop. I finnaly got this working. It works very well now.

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-

On Monday 08 March 2004 10:43 am, Bob George wrote:
> At this point, both clamav and f-prot are working (bitdefender to
> follow), inserting X-Virus-Status-<name>: and X-Virus-Report-<name>:
> headers. Initial tests with a handful of viruses indicate that both
> work, but each misses some the other doesn't.
>
> I'm still testing with testvirus.org.

woops sorry I forgot mine also does the headers and decodes the spam first.

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-

Christopher X. Candreva wrote:
> [...]
> --mbox works fine here. This is the variation I'm useing, and I believe I'm
> the original person who posted the method of useing backticks:
>
> VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -`

Interesting. My manpage for clamdscan doesn't show an --mbox option.
What version are you using?

Here's what I'd appreciate anybody calling clamav directly from procmail
testing:

1. Go to testvirus.org and send "Test #11: Eicar virus within a ZIP
file" to an account that is scanned.

2. Check out the message headers. Here's what I got:

X-Virus-Text: No virus seen. << Using your inline procmail test
X-Virus-Status-fprot: Yes << Called via the wrapper script for f-prot
X-Virus-Report-fprot: EICAR_Test_File

with this in /etc/procmailrc:

VIRUS=`/usr/bin/clamdscan --mbox --disable-summary --stdout -`

:0 Difw << Note: Made it a filter
* VIRUS ?? FOUND
| formail -A "X-Virus-Test: Virus seen."

:0 Efw
| formail -A "X-Virus-Text: No virus seen."

3. Extract that message to a file (mbox format) and scan it as-is:

$ clamscan -V
clamscan / ClamAV version 0.60+BugFixesFromCVS-20030916

$ clamdscan -V
clamdscan / ClamAV version 0.60+BugFixesFromCVS-20030916

CLAMDSCAN
$ clamdscan --mbox --disable-summary msg.w9GD
/home/spamd/VirusArchive1/msg.w9GD: OK

$ clamdscan --disable-summary msg.w9GD
/home/spamd/VirusArchive1/msg.w9GD: OK

$ cat msg.w9GD | clamdscan --disable-summary -
stream: OK

$ cat msg.w9GD | clamdscan --mbox --disable-summary -

stream: OK

(this is how you called it, right?)

CLAMSCAN
$ clamscan --mbox --disable-summary msg.w9GD
msg.w9GD: OK

$ clamscan --disable-summary msg.w9GD
msg.w9GD: OK

$ cat msg.w9GD | clamscan --disable-summary -
stdin: OK

$ cat msg.w9GD | clamscan --mbox --disable-summary -

/tmp/12d3919594661c61/eicar.zipeNrxos.zip: Eicar-Test-Signature FOUND

Notice that only that last one! clamscan (not clamdscan) with mbox
appears to work. From the manpage, I'm not sure how stable --mbox is though.

$ cd unpacked
$ munpack ../msg.w9GD
$ clamscan --disable-summary
/home/spamd/VirusArchive1/unpacked/eicar.zip: Eicar-Test-Signature FOUND
/home/spamd/VirusArchive1/unpacked/eicar.desc: OK

$ clamdscan --disable-summary
/home/spamd/VirusArchive1/unpacked/eicar.zip: Eicar-Test-Signature FOUND

So, from here, it seems:

1. clamdscan is faster, but doesn't do --mbox at all (no surprise, not
on manpage).

2. clamscan does --mbox, though the manpage warns against it.

3. Other variations reading stdin without --mbox don't seem to work. On
the procmail list, we went through several variations on procmail with
:0 wWhb etc. in varying combinations.

4. Scanning un-encoded files seems to work reliably (or at least
consistently).

To make this somewhat relevant to SA, using the wrapper script (or
whatever means), headers can be inserted for scoring and use in metas.

- Bob

On Monday 08 March 2004 12:51 pm, Bob George wrote:
> So, from here, it seems:
>
> 1. clamdscan is faster, but doesn't do --mbox at all (no surprise, not
> on manpage).

well and that is not the issue for me I get denied access error's so i quit
trying to use it from the shell script. Clamscan is the only option that even
runns for me.


>
> 2. clamscan does --mbox, though the manpage warns against it.
>
> 3. Other variations reading stdin without --mbox don't seem to work. On
> the procmail list, we went through several variations on procmail with
>
> :0 wWhb etc. in varying combinations.

I use maildrop and a shell script and without un encodeing it first I would
simply miss some virii. It had nothing ot do with maildrop but rather the way
clamscan handles --stdin

>
> 4. Scanning un-encoded files seems to work reliably (or at least
> consistently).

EXTRACT=$(echo "$MSG" | $RIPMIME -i - -d $SCANDIR)

# Scan the tmp dir

SCAN=$($CLAM --stdout --disable-summary $SCANDIR)

that is why I after two months of research on this have started using this.
anything else missies some virii that get through. And honestly you dont need
all those extra command line options.

>
> To make this somewhat relevant to SA, using the wrapper script (or
> whatever means), headers can be inserted for scoring and use in metas.
>
> - Bob

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-

Maybe I should go back and ask a 'newbie' question. On a properly running
Linux box, there is a certain amount of 'swapping' of memory to the swap
disk space. So would I really be *saving* time/speed to avoid having
procmail write the mail to files and then run clamscan against them?
Or would I find that trying to run it 'in memory' from stdin would just
result in more swapping?

Otherwise, I have to wonder why clamav developers are having such a
problem with putting a 'demime' kind of front end on their --mbox
handling.....

- Charles

Charles Gregory wrote:
> Maybe I should go back and ask a 'newbie' question. On a properly running
> Linux box, there is a certain amount of 'swapping' of memory to the swap
> disk space. So would I really be *saving* time/speed to avoid having
> procmail write the mail to files and then run clamscan against them?
> Or would I find that trying to run it 'in memory' from stdin would just
> result in more swapping?

The answer depends on how much memory you have, and how heavily it's
being used. That would take some monitoring on an ongoing basis. But
generally speaking, writes to disk are slower. Then, as you note, if
attempts are made to scan BIG files, even a lot of memory can go fast on
a loaded system.

So it may well be a wash. Again, I'm going with "extract and scan" more
as a precautionary measure, and because it is the one way that all
scanners I've tried so far (bitdefender, clamav and f-prot under debian
linux) have supported. That said, performance is NOT my biggest concern
(at the moment).

> Otherwise, I have to wonder why clamav developers are having such a
> problem with putting a 'demime' kind of front end on their --mbox
> handling.....

They may well NOT be as of late. I emphasised STRONGLY that it may just
be a version issue. I'm using a verion that's NOT the latest, and we
noted some other "interesting" issues with BSD etc. on the procmail list
with varying versions. I'm sure it's being fixed, and some folks seem to
have it all working just fine. Suffice to say, TESTING is in order
before putting direct calls from procmail in. If it tests OK (i.e. those
testvirus.org checks) then it may be just fine!

I just wanted to point out that what SEEMS to work might not be when
tested thoroughly. And there are difference between clamscan and
clamdscan that can jump out and scare ya. TEST TEST TEST!

- Bob

At 12:51 PM Monday, 3/8/2004, you wrote -=>
>Christopher X. Candreva wrote:
>>[...]
>>--mbox works fine here. This is the variation I'm useing, and I believe I'm
>>the original person who posted the method of useing backticks:
>>VIRUS=`/usr/local/bin/clamdscan --mbox --disable-summary --stdout -`
>
>Interesting. My manpage for clamdscan doesn't show an --mbox option. What
>version are you using?
>
>Here's what I'd appreciate anybody calling clamav directly from procmail
>testing:
>
>1. Go to testvirus.org and send "Test #11: Eicar virus within a ZIP file"
>to an account that is scanned.
>
>2. Check out the message headers. Here's what I got:

--snip--

>So, from here, it seems:
>
>1. clamdscan is faster, but doesn't do --mbox at all (no surprise, not on
>manpage).
>
>2. clamscan does --mbox, though the manpage warns against it.
>
>3. Other variations reading stdin without --mbox don't seem to work. On
>the procmail list, we went through several variations on procmail with :0
>wWhb etc. in varying combinations.
>
>4. Scanning un-encoded files seems to work reliably (or at least
>consistently).
>
>To make this somewhat relevant to SA, using the wrapper script (or
>whatever means), headers can be inserted for scoring and use in metas.

With the following in procmailrc:
:0
VIRUS=|/usr/local/bin/clamdscan --mbox --disable-summary --stdout -

:0hfw
* VIRUS ?? ^.*: \/.* FOUND
| formail -A "X-Virus-Status: Yes, $MATCH"

:0Ehfw
| formail -A "X-Virus-Status: No"

I got:
X-Virus-Status: Yes, Eicar-Test-Signature FOUND

and...
$ cat mail/quarantine | clamscan --mbox --disable-summary -
/tmp/f4f93e3657c67e1a/eicar.zipzRBYYP: Eicar-Test-Signature FOUND

$ cat mail/quarantine | clamdscan --mbox --disable-summary -
stream: Eicar-Test-Signature FOUND

I think it's obvious that calling either from procmail is not reliable. I
for one, am going to start testing clamav-milter through sendmail tomorrow.


Ed
. . . . . . . .
"Dear Auntie Em, hate you, hate Kansas, took the dog."
--Dorothy