I can't seem to get virus scanning functional.
I can telnet to clamd and tell it to scan a file that I placed in
/var/spool/exim/scan, and it correctly identifies it as having the
sobig worm. And if I don't have clamd running, Exim panics about it
and gives a temporary rejection to every message....so it seems to be
connecting to clamd and trying to use it.
But if I send a message with a worm attached (the same copy of Sobig
I manually placed in the scan directory as a matter of fact), it gets
accepted every time.
I fiddled with clamav's config file a bit, tried it with and without
the "ScanMail" option, also tried using and not using the demime = *
option in my data ACL, I tried running clamav with both a TCP socket
and a local socket, plus everything else I could think of.
So I have a couple questions at this point:
1) Does anyone know what the "ScanMail" option in clamav really does?
Does that make it so I don't need to demime the messages before
they're scanned (seems I might gain some efficiency if that's the
case).
2) All the examples I found on the web use a TCP socket for ClamAV.
But it seems safer to me to use a local socket...is there any reason
I shouldn't use a local socket?
3) Given the info below, can anybody tell me what I might have wrong?
The "deny: condition test failed" from exim -d concerns me slightly.
**In exim main config:
av_scanner = clamd:/tmp/clamd
**My data ACL, minus comments:
acl_check_data:
deny message = This message contains malformed MIME ($demime_reason)
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}
deny message = Probable virus file extension (.$found_extension)
demime = ade:adp:bat:bas:chm:cmd:scr:lnk:com
deny message = This message contains a virus
demime = *
malware = *
accept
**Excerpt from "exim -bd -d"..where it processes the data ACL:
14383 using ACL "acl_check_data"
14383 processing "deny"
14383 check demime = *
14383 check condition = ${if >{$demime_errorlevel}{2}{1}{0}}
14383 = 0
14383 deny: condition test failed
14383 processing "deny"
14383 check demime =
ade:adp:bat:bas:chm:cmd:cpl:crt:eml:hlp:hta:inf:ins:isp:lnk:msc:msp:mst:pcd:scr:sct:shs:vbs:vbe:wsf:wsh:wsc:exe:com
14383 deny: condition test failed
14383 processing "deny"
14383 check demime = *
14383 check malware = *
14383 deny: condition test failed
14383 accept: condition test succeeded
**My clamav.conf (minus comments, archive, and clamuko sections)
#Example
LogFile /tmp/clamd.log
#LogFileUnlock
#LogFileMaxSize 2M
LogTime
#LogSyslog
LogVerbose
#PidFile /var/run/clamd.pid
DataDirectory /usr/share/clamav
LocalSocket /tmp/clamd
#TCPSocket 3310
MaxConnectionQueueLength 30
#StreamSaveToDisk
StreamMaxLength 10M
MaxThreads 100
ThreadTimeout 180
MaxDirectoryRecursion 15
#FollowDirectorySymlinks
#FollowFileSymlinks
#SelfCheck 600
User clamav
AllowSupplementaryGroups
#Foreground
ScanMail
