On 2008-07-29 16:51, Sujit Acharyya-Choudhury wrote: > ClamAV 0.93.3/7877/Tue Jul 29 12:43:08 2008 > > Output of clamconf is: > # clamconf > /etc/clamd.conf: clamd directives > ------------------------------ > LogFile not set > LogFileUnlock = no > LogFileMaxSize = 1048576 > LogTime = no > LogClean = no > LogVerbose = no > LogSyslog = yes > LogFacility = "LOG_MAIL" > PidFile = "/var/lib/clamav/clamd.pid" > TemporaryDirectory not set > ScanPE = yes > ScanELF = yes > DetectBrokenExecutables = no > ScanMail = yes > MailFollowURLs = no > PhishingSignatures = yes > PhishingScanURLs = yes > PhishingAlwaysBlockCloak = no > PhishingAlwaysBlockSSLMismatch = no > PhishingRestrictedScan = yes > DetectPUA = no > AlgorithmicDetection = yes > ScanHTML = yes > ScanOLE2 = yes > ScanPDF = no > ScanArchive = yes > MaxScanSize = 104857600 > MaxFileSize = 26214400 > MaxRecursion = 16 > MaxFiles = 10000 > ArchiveLimitMemoryUsage = no > ArchiveBlockEncrypted = no > DatabaseDirectory = "/var/lib/clamav" > TCPAddr = "127.0.0.1" > TCPSocket = 3310 > LocalSocket = "/var/lib/clamav/clamd-socket" > MaxConnectionQueueLength = 15 > StreamMaxLength = 10485760 > StreamMinPort = 1024 > StreamMaxPort = 2048 > MaxThreads = 10 > ReadTimeout = 300 > IdleTimeout = 30 > MaxDirectoryRecursion = 15 > FollowDirectorySymlinks = no > FollowFileSymlinks = no > ExitOnOOM = no > Foreground = no > Debug = no > LeaveTemporaryFiles = no > FixStaleSocket = yes > User = "vscan" > AllowSupplementaryGroups = no > SelfCheck = 600 > VirusEvent not set > ClamukoScanOnAccess not set > ClamukoScanOnOpen not set > ClamukoScanOnClose not set > ClamukoScanOnExec not set > ClamukoIncludePath not set > ClamukoExcludePath not set > ClamukoMaxFileSize = 5242880 > DevACOnly not set > DevACDepth not set >
I don't see anything wrong here, but make sure the files you are scanning are accessible to the vscan user. > /etc/freshclam.conf: freshclam directives > ------------------------------ > LogFileMaxSize = 1048576 > LogTime = no > LogVerbose = no > LogSyslog = yes > LogFacility = "LOG_MAIL" > PidFile = "/var/lib/clamav/freshclam.pid" > DatabaseDirectory = "/var/lib/clamav" > Foreground = no > Debug = no > AllowSupplementaryGroups = no > DatabaseOwner = "vscan" > Checks = 12 > UpdateLogFile = "/var/log/freshclam.log" > DNSDatabaseInfo = "current.cvd.clamav.net" > DatabaseMirror = "db.uk.clamav.net" > MaxAttempts = 3 > ScriptedUpdates = yes > CompressLocalDatabase = no > HTTPProxyServer = "wwwcache.wmin.ac.uk" > HTTPProxyPort = 3128 > HTTPProxyUsername not set > HTTPProxyPassword not set > HTTPUserAgent not set > NotifyClamd = "/etc/clamd.conf" > OnUpdateExecute not set > OnErrorExecute not set > OnOutdatedExecute not set > LocalIPAddress not set > ConnectTimeout = 30 > ReceiveTimeout = 30 > > Engine and signature databases > ------------------------------ > Engine version: 0.93.3 > Database directory: /var/lib/clamav > main db: Format: .inc, Version: 46, Build time: Sun Apr 6 19:57:08 2008 > daily db: Format: .cvd, Version: 7877, Build time: Tue Jul 29 12:43:08 > 2008 > > > We are encounering problem with UPS (phishing or virus) e-mail and for a > long time it was unable to catch it. > A folder containg eicar test virues produced the following results: > > # clamscan . > ./eicar.com: Eicar-Test-Signature FOUND > ./eicar.com.txt: Eicar-Test-Signature FOUND > ./eicar_com.zip: Eicar-Test-Signature FOUND > ./eicarcom2.zip: Eicar-Test-Signature FOUND > So it detects eicar when you scan the file, but not when you send it as an email, right? You can do the following to further diagnose the problem: - send a mail containing an eicar, if not detected then scan the email file itself - check that your MTA does indeed send the file to clamd for scanning (you can run clamd in foreground/debug mode) What mail server are you using, and how do you call clamd from it? > This e-mail and its attachments are intended for the above named only > and may be confidential. This is a public mailing list.... Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
