Re: [Exim] ClamAV + exiscan missing virus

Góra strony
Delete this message
Reply to this message
Autor: Kevin Reed
Data:  
Dla: exim-users
Temat: Re: [Exim] ClamAV + exiscan missing virus
Sheldon Hearn said:
> Hi folks,
>
> My exim-4.24 w/ exiscan-acl patch 13 and clamav-0.60 installation is
> letting
> the Worm.Mimail.C virus through.
>
> The virus is inside a zipfile, MIME-attached to messages. The zipfile
> is available for testing:
>
>     http://mail.gambling.com/photos.zip

>
> When I scan the file manually, I get:
>
>     # clamscan /tmp/photos.zip
>     /tmp/photos.zip: File size limit exceeded.
>     /tmp/photos.zip: Worm.Mimail.C FOUND
>     ...

>
> However, the following ACL just isn't catching it:
>
>   # Reject virus infested messages.
>   deny  message = This message contains malware ($malware_name)
>         demime = *
>         malware = *


I just grabed the copy of the zip file you had (first I've had a chance to
actually touch it)... Sent it in a message from my home account and fired
it off to my Exim server...

Using Exim 4.24 + Exiscan 4.24-13 with ClamAV 0.60 and SpamAssassin 2.60...

2003-11-03 03:57:51 1AGcP5-0000X1-GO H=fed1mtao07.cox.net [68.6.19.124]
Warning: DISCARD VIRUS: This message was found to contain malware
(Worm.Mimail.C)

2003-11-03 03:57:51 1AGcP5-0000X1-GO
<= myaccount@??? H=fed1mtao07.cox.net [68.6.19.124]
P=esmtp S=19504 id=000001c3a1f9$3a275250$1401a8c0@spider
T="Virus Test" from <myaccount@???> for myaccount@???

2003-11-03 03:57:51 1AGcP5-0000X1-GO
=> blackhole (DATA ACL discarded recipients)

However... Checking logs on all the Exim systems I can touch, I don't see
any evidence of this either being caught or being accepted... This is
wierd and is why I asked the list yesterday if anyone was seeing this.

My one guess is that something else in the messages is being caught by the
system first and is being denied because of that error instead.

Note that My ClamAV rarely catches much since we deny most of the common
attachments that carry viruses in the first place.

I do get updated dat files twice a day and have ScanArchive on in my
clamav.conf file.

--
Kevin W. Reed - TNET Services, Inc.
Unoffical Exim MTA Info Forums - http://exim.got-there.com/forums