On Fri, 04 Jan 2008 12:23:06 -0500 James Kosin <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Phil Chambers wrote: > > Further testing has resulted in the following strange resutls: > > > > With the above message in the scan spool directory where exim creates > the copy > > of the message for scanning I cd'd to the spool directory and got: > > > > clamscan > > /var/spool/exim/scan/1JAnYa-0006ir-N0/1JAnYa-0006ir-N0.eml:(wraps here) > > Email.Spam.Gen2111.Sanesecurity.08010217 FOUND > > > > ----------- SCAN SUMMARY ----------- > > Known viruses: 197921 > > Engine version: 0.92 > > Scanned directories: 1 > > Scanned files: 1 > > Infected files: 1 > > Data scanned: 0.00 MB > > Time: 1.736 sec (0 m 1 s) > > > > Then: > > > > clamdscan > > > > ----------- SCAN SUMMARY ----------- > > Infected files: 0 > > Time: 0.002 sec (0 m 0 s) > > > > So, clamscan detects the signature but clamdscan does not! Note that some > > examples of this signature do get detected by clamd.) > > > > Phil. > > --------------------------------------- > > Phil Chambers ([EMAIL PROTECTED]) > > University of Exeter > I can clear up some of the confusion... clamscan and clamdscan get > and have different defaults for scanning files. > > James I do not like killing clamd because of the knock-on effect on exim. (You either have to allow messages through unscanned while clamd restarts or messages are rejected. The latter is unkind for MUAs doing message submission.) However, I killed and restarted clamd and ran the clamscan and clamdscan tests again. This time they gave consistent results. I would assume that clamd just needed to reload its signatures, but freshclam has caused that several times recently. Indeed, the last logged time was at 16:15 this afternoon, when it loaded 198037 signatures. Following this time I have had the inconsistent clamscan/clamdscan results. The restart reported the same number of signatures being loaded, and there had been no change in the signature files between the two! I can think of a possible reason for this. Does clamd re-load all signatures or does it just load in new ones? If clamd only loads new signatures and the Sanesig signature I had a problem with had been changed then clamd could have been using the old version, while clamscan would use the latest one. Phil. --------------------------------------- Phil Chambers ([EMAIL PROTECTED]) University of Exeter _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
