Re: [exim] malware_name not reporting correct name?

Página Inicial
Delete this message
Reply to this message
Autor: John Horne
Data:  
Para: Exim users
Assunto: Re: [exim] malware_name not reporting correct name?
On Fri, 2010-08-27 at 14:28 +0100, John Horne wrote:
> Hello,
>
> Using exim 4.72 I have been trying to track down a problem where mail
> with some form of detected malware has been rejected. We tend to reject
> anything detected by ClamAV's own signatures, but mark those which are
> 'UNOFFICIAL'. This has worked fine, but we are now seeing some mail
> rejected and the reported malware name - from the malware_name variable
> is (e.g.): 457)
>
> This is the actual name being reported by 'malware_name' - '457)'.
> Our logs show that other messages have been rejected, with the number in
> the message varying.
>
> It seems that the InetMsg spamdomain third-party signatures are being
> reported by ClamAV as (e.g.):
> INetMsg.SpamDomain-2m.engduates_com.UNOFFICIAL(924747f3c8e4b999eb887c755839021b:457)
> Our clamd log file shows the same name as being detected.
>

A bit more info:

We are using ClamAV 0.96.2 and have enabled the 'ExtendedDetectionInfo
yes' option. this is where the '(...:457)' comes from. We have now
disabled the 'ExtendedDetectionInfo' option and the malware_name is
reporting the names correctly.



John.

-- 
John Horne                   Tel: +44 (0)1752 587287
University of Plymouth, UK   Fax: +44 (0)1752 587001