On Thu, 13 Aug 2009 18:14:14 +0200 "Len Conrad" <lcon...@go2france.com> wrote:
> I don't think there is any problem with the postfix/clamsmtpd/clam handoff. > > The clam scanning has missed only the W32.Elkern these past few days > (barracuda has caught on W32.Elkern), and caught everything else, eg today: > > egrep -i "status=virus" /var/log/ms1.xxx.net/maillog > > Aug 13 10:08:10 clamsmtpd: 1122E3: from=gsegro...@xxx.net, > to=sportsnationh...@xxx.com, status=VIRUS:Exploit.IFrame.Gen The fact your installation catches Exploit.IFrame.Gen doesn't mean it will detect other threats. The IFrame signature is one of the most basic ones but other signatures may require properly decoded attachments or even the entire raw messages so that libclamav can match some headers or do special decoding/preprocessing on its own. > Aug 13 10:19:40 clamsmtpd: 112524: from=comfor...@xxx.net, > to=memberservi...@xxx.com, status=VIRUS:Exploit.IFrame.Gen > > Aug 13 10:49:27 clamsmtpd: 112BB4: from=cto...@xxx.net, to=bub...@xxx.com, > status=VIRUS:Exploit.IFrame.Gen > > netstat -nap | egrep -ic :10025 > 46 > > netstat -nap | egrep -ic :10026 > 1 > > So how could the sig be in the clam db, but clam selectively missing > W32.Elkern? There could be many reasons for that. Eg. there may be a configuration problem with your clamd (please provide the output of 'clamconf -n'), or it may not be getting the proper data from clamsmtpd (does it take care of attachment extracting or passes the entire message to clamd?). Can you get a copy of the infected mail from your Barracuda? -- oo ..... Tomasz Kojm <tk...@clamav.net> (\/)\......... http://www.ClamAV.net/gpg/tkojm.gpg \..........._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Thu Aug 13 18:27:51 CEST 2009 _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
