On Thu, 3 Jan 2008 18:31:05 +0000 (GMT Standard Time) Phil Chambers <[EMAIL PROTECTED]> wrote:
> Thanks, that was a great help and I have made some progress. I took the name > of > a signature from the log which was not being rejected by exim as it arrived > from the Internet but was when returning from Exchange and looked it up in > scam.ndb to get: > > > Email.Spam.Gen2111.Sanesecurity.08010217:4:*:61667465722074616b696e67205650584c > > The hex signature translates to 'after taking VPXL'. > > I configured a test instance of exim to not clean out the spool file which > clamd is asked to scan (control = no_mbox_unspool in the 'malware = *' ACL). > > I then manually typed SMTP at the test instance of exim using telnet to > inject > the simple message: > > From: <my_address> > To: <my_address> > Subject: test with no_mbox_unspool > > Testing after taking VPXL as a signature > test > . > > The message was delivered to my Exchange account. The spool file showed > what I would expect: the message header and body in a simple mbox-style text > file. The signature string is in the file just as one would expect. Exim must > have invoked clamd because 'control = no_mbox_unspool' and 'malware = *' are > both in the same ACL and exim did not delete the spool file. > > Is there any way to get clamd to produce diagnostic information to prove it > scanned the message in this situation? > Further testing has resulted in the following strange resutls: With the above message in the scan spool directory where exim creates the copy of the message for scanning I cd'd to the spool directory and got: clamscan /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) Email.Spam.Gen2111.Sanesecurity.08010217 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 197921 Engine version: 0.92 Scanned directories: 1 Scanned files: 1 Infected files: 1 Data scanned: 0.00 MB Time: 1.736 sec (0 m 1 s) Then: clamdscan ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 0.002 sec (0 m 0 s) So, clamscan detects the signature but clamdscan does not! Note that some examples of this signature do get detected by clamd.) Phil. --------------------------------------- Phil Chambers ([EMAIL PROTECTED]) University of Exeter _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
