Mailing List Archive

> So, from here, it seems:
>
> 1. clamdscan is faster, but doesn't do --mbox at all (no surprise, not
> on manpage).

Use clamav.conf, and set the:
ScanMail
directive. This does what --mbox does for clamscan

> 2. clamscan does --mbox, though the manpage warns against it.

Make sure you're running the latest 0.67, or try the latest devel version.

> 3. Other variations reading stdin without --mbox don't seem to work. On
> the procmail list, we went through several variations on procmail with
> :0 wWhb etc. in varying combinations.

clamdscan uses the "ScanMail" directive. You should also enable
"ScanArchive" and "StreamSaveToDisk". With these enabled, and calling
clamdscan from procmail, I seem to get very good results in catching
viruses, both encoded and un-encoded.

Here's what I use:

:0
* multipart
{
VIRUS=`/usr/local/bin/clamdscan --disable-summary --stdout -`

:0 Di
* VIRUS ?? FOUND
/dev/null
}

YMMV

Rob Mangiafico

Rob Mangiafico wrote:
> [...]
> Make sure you're running the latest 0.67, or try the latest devel version.

Agree, and I'm testing 0.67 now. However, it's worth emphasizing that
RESULTS CAN VARY and TESTING IS IMPORTANT. A good procmail recipe alone
is (sadly) not a guarantee. The new versions do seem more stable, and I
would add "v0.67 REQUIRED" to any recipe descriptions. Otherwise, it can
seem to be working, and give a false sense of security.

Again, not faulting clamav here. Just highlighting a situation that's at
least present on my distribution of choice (debian testing/sarge). This
will change over time too of course.

> clamdscan uses the "ScanMail" directive. You should also enable
> "ScanArchive" and "StreamSaveToDisk". With these enabled, and calling
> clamdscan from procmail, I seem to get very good results in catching
> viruses, both encoded and un-encoded.

I noticed those, and it seems happy here too (now). I wonder if
"StreamSaveToDisk" is doing in effect the same thing as the wrapper
script? In any case, it is working (apparently) reliably.

> Here's what I use:
>
> :0
> * multipart
> {
> VIRUS=`/usr/local/bin/clamdscan --disable-summary --stdout -`
>
> :0 Di
> * VIRUS ?? FOUND
> /dev/null
> }

Just curious: Have you tried the tests? In my latest round, both clamav
and f-prot miss some the other hits.

> YMMV

By the hour. :)

- Bob

On Sunday 07 March 2004 11:49 am, Matthew Cline wrote:
> For those of you who are using SA with procmail, and also want to do virus
> filtering, you can install/config ClamAV (http://www.clamav.net/), then add
> these lines to your procmailrc file:

since we are on the subject when getting the test emails from testvirus.org
does naybody really get them all. I only get 13 out of the 24. The rest end
up somplace else besides my mailserver.

If anybody has a set of all 24 could you zip them up and email them to me.

--
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-
Brook Humphrey
Mobile PC Medic, 420 1st, Cheney, WA 99004, 509-235-9107
http://www.webmedic.net, bah@webmedic.net, bah@linux-mandrake.com
Holiness unto the Lord
-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-~`'~-