[Exim] Exiscan-ACL + clamav: At my wits end

Página Inicial
Delete this message
Reply to this message
Autor: Adam Moffett
Data:  
Para: exim-users
Assunto: [Exim] Exiscan-ACL + clamav: At my wits end
I can't seem to get virus scanning functional.

I can telnet to clamd and tell it to scan a file that I placed in
/var/spool/exim/scan, and it correctly identifies it as having the
sobig worm. And if I don't have clamd running, Exim panics about it
and gives a temporary rejection to every message....so it seems to be
connecting to clamd and trying to use it.

But if I send a message with a worm attached (the same copy of Sobig
I manually placed in the scan directory as a matter of fact), it gets
accepted every time.

I fiddled with clamav's config file a bit, tried it with and without
the "ScanMail" option, also tried using and not using the demime = *
option in my data ACL, I tried running clamav with both a TCP socket
and a local socket, plus everything else I could think of.

So I have a couple questions at this point:

1) Does anyone know what the "ScanMail" option in clamav really does?
Does that make it so I don't need to demime the messages before
they're scanned (seems I might gain some efficiency if that's the
case).

2) All the examples I found on the web use a TCP socket for ClamAV.
But it seems safer to me to use a local socket...is there any reason
I shouldn't use a local socket?

3) Given the info below, can anybody tell me what I might have wrong?
The "deny: condition test failed" from exim -d concerns me slightly.

**In exim main config:
av_scanner = clamd:/tmp/clamd

**My data ACL, minus comments:

acl_check_data:
   deny    message       = This message contains malformed MIME ($demime_reason)
           demime        = *
           condition     = ${if >{$demime_errorlevel}{2}{1}{0}}


   deny    message       = Probable virus file extension (.$found_extension)
           demime        = ade:adp:bat:bas:chm:cmd:scr:lnk:com


   deny   message       = This message contains a virus
           demime       = *
          malware       = *
accept


**Excerpt from "exim -bd -d"..where it processes the data ACL:
14383 using ACL "acl_check_data"
14383 processing "deny"
14383 check demime = *
14383 check condition = ${if >{$demime_errorlevel}{2}{1}{0}}
14383                 = 0
14383 deny: condition test failed
14383 processing "deny"
14383 check demime =
ade:adp:bat:bas:chm:cmd:cpl:crt:eml:hlp:hta:inf:ins:isp:lnk:msc:msp:mst:pcd:scr:sct:shs:vbs:vbe:wsf:wsh:wsc:exe:com
14383 deny: condition test failed
14383 processing "deny"
14383 check demime = *
14383 check malware = *
14383 deny: condition test failed
14383 accept: condition test succeeded



**My clamav.conf (minus comments, archive, and clamuko sections)
#Example
LogFile /tmp/clamd.log
#LogFileUnlock
#LogFileMaxSize 2M
LogTime
#LogSyslog
LogVerbose
#PidFile /var/run/clamd.pid
DataDirectory /usr/share/clamav
LocalSocket /tmp/clamd
#TCPSocket 3310
MaxConnectionQueueLength 30
#StreamSaveToDisk
StreamMaxLength 10M
MaxThreads 100
ThreadTimeout 180
MaxDirectoryRecursion 15
#FollowDirectorySymlinks
#FollowFileSymlinks
#SelfCheck 600
User clamav
AllowSupplementaryGroups
#Foreground
ScanMail