From: Tomasz Kojm <tk...@clamav.net>
Reply-To: ClamAV users ML <clamav-users@lists.clamav.net>
Date: Thu, 13 Aug 2009 17:25:40 +0200
>On Thu, 13 Aug 2009 17:14:45 +0200
>"Len Conrad" <lcon...@go2france.com> wrote:
>
>> We have a submission/mailbox server running clam that is submission point
>> for our networks, and relays to a Barracuda as outbound filter.
>>
>> clamsmtpd/clam are running fine, passing most as clean, naturally, while
>> catching a few viruses.
>>
>> However, for two days, the Barracuda has been blocking what it calls "Virus
>> (W32.Elkern.C)".
>>
>> These are really spam bot spew, with the submitting IP using a different
>> random garbage HELO, and sometimes a recipient domain than is also garbage.
>>
>> Anybody else see this?
>
>Hi Len,
>
>Barracuda is using ClamAV, isn't it? In fact, ClamAV includes the signature
>for W32.Elkern.C:
>
>$ sigtool -l | grep -i elkern
>W32.Elkern.C
>W32.Elkern.A
>
>Perhaps there's some configuration problem with clamsmtpd which prevents it
>from detecting the virus. How does it call/communicate with ClamAV?
postfix main.cf:
content_filter = scan:127.0.0.1:10025
postfix master.cf
# AV scan filter (used by content_filter)
scan unix - - n - 16 smtp
-o smtp_send_xforward_command=yes
# For injecting mail back into postfix from the filter
127.0.0.1:10026 inet n - n - 16 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks_style=host
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
clamsmtpd.conf:
ClamAddress: /tmp/clamd.socket
Linux:
ll /tmp/clamd.socket
srwxrwxrwx 1 root 0 Aug 11 10:51 /tmp/clamd.socket=
I don't think there is any problem with the postfix/clamsmtpd/clam handoff.
The clam scanning has missed only the W32.Elkern these past few days (barracuda
has caught on W32.Elkern), and caught everything else, eg today:
egrep -i "status=virus" /var/log/ms1.xxx.net/maillog
Aug 13 10:08:10 clamsmtpd: 1122E3: from=gsegro...@xxx.net,
to=sportsnationh...@xxx.com, status=VIRUS:Exploit.IFrame.Gen
Aug 13 10:19:40 clamsmtpd: 112524: from=comfor...@xxx.net,
to=memberservi...@xxx.com, status=VIRUS:Exploit.IFrame.Gen
Aug 13 10:49:27 clamsmtpd: 112BB4: from=cto...@xxx.net, to=bub...@xxx.com,
status=VIRUS:Exploit.IFrame.Gen
netstat -nap | egrep -ic :10025
46
netstat -nap | egrep -ic :10026
1
So how could the sig be in the clam db, but clam selectively missing W32.Elkern?
Len
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
