I have a primary MX running Redhat, with postfix+amavisd+clamav
I also have a secondary MX and SMTP gateway running Debian, with
postfix+amavisd-new+clamav
Recently we adopted use of Sanesecurity additions, using the scamp script
on both MX and SMTP.
Root receives virus notifications on the SMTP, and we've noticed some emails
which are not caught on inbound but are stopped on outbound, while tracing
the quarantined message demonstrates it was the same message, being
forwarded out of our domain by a sieve script on cyrus.
This issue was discussed on the amavis mailing list, and Noel Jones
suggested the symptoms looked like a problem with .ftm files.
I searched for such files, and on the Redhat system which sometimes misses
a Sanesecurity signature in incoming email, I have an old directory
/var/clamav/daily.inc dated 2008 and all files in there as old.
# ls -l /var/clamav/daily.inc/
total 3024
-rw-r--r-- 1 amavis amavis 17992 Jan 4 2008 COPYING
-rw-r--r-- 1 amavis amavis 142 Apr 29 2008 daily.cfg
-rw-r--r-- 1 amavis amavis 26014 Apr 7 2008 daily.db
-rw-r--r-- 1 amavis amavis 5020 Apr 22 2008 daily.fp
-rw-r--r-- 1 amavis amavis 5642 May 1 2008 daily.ftm
-rw-r--r-- 1 amavis amavis 6798 May 2 2008 daily.hdb
-rw-r--r-- 1 amavis amavis 1224 Feb 6 2008 daily.hdu
-rw-r--r-- 1 amavis amavis 32 May 5 2008 daily.ign
-rw-r--r-- 1 amavis amavis 672 May 6 2008 daily.info
-rw-r--r-- 1 amavis amavis 2667216 May 6 2008 daily.mdb
-rw-r--r-- 1 amavis amavis 38567 May 4 2008 daily.mdu
-rw-r--r-- 1 amavis amavis 262690 May 6 2008 daily.ndb
-rw-r--r-- 1 amavis amavis 6935 Apr 29 2008 daily.ndu
-rw-r--r-- 1 amavis amavis 3218 Mar 27 2008 daily.pdb
-rw-r--r-- 1 amavis amavis 1454 Feb 28 2008 daily.wdb
-rw-r--r-- 1 amavis amavis 2922 Jan 4 2008 daily.zmd
If I contrast that with the Debian system, it has more current files,
within the clamav directory.
# ls -l /var/lib/clamav/daily.*
-rw-r--r-- 1 root root 383 Nov 16 14:00 /var/lib/clamav/daily.cfg
-rw-r--r-- 1 amavis amavis 18197504 Nov 15 22:32 /var/lib/clamav/daily.cld
-rw-r--r-- 1 root root 25391 Nov 16 14:00 /var/lib/clamav/daily.db
-rw-r--r-- 1 root root 40375 Nov 16 14:00 /var/lib/clamav/daily.fp
-rw-r--r-- 1 root root 8098 Nov 16 14:00 /var/lib/clamav/daily.ftm
-rw-r--r-- 1 root root 104981 Nov 16 14:00 /var/lib/clamav/daily.hdb
-rw-r--r-- 1 root root 2676 Nov 16 14:00 /var/lib/clamav/daily.hdu
-rw-r--r-- 1 root root 31677 Nov 16 14:00 /var/lib/clamav/daily.idb
-rw-r--r-- 1 root root 3958 Nov 16 14:00 /var/lib/clamav/daily.ign
-rw-r--r-- 1 root root 2471 Nov 16 14:00 /var/lib/clamav/daily.ign2
-rw-r--r-- 1 root root 1873 Nov 16 14:00 /var/lib/clamav/daily.info
-rw-r--r-- 1 root root 83449 Nov 16 14:00 /var/lib/clamav/daily.ldb
-rw-r--r-- 1 root root 2373 Nov 16 14:00 /var/lib/clamav/daily.ldu
-rw-r--r-- 1 root root 16113730 Nov 16 14:00 /var/lib/clamav/daily.mdb
-rw-r--r-- 1 root root 64233 Nov 16 14:00 /var/lib/clamav/daily.mdu
-rw-r--r-- 1 root root 835302 Nov 16 14:00 /var/lib/clamav/daily.ndb
-rw-r--r-- 1 root root 824779 Nov 16 14:00 /var/lib/clamav/daily.ndu
-rw-r--r-- 1 root root 4094 Nov 16 14:00 /var/lib/clamav/daily.pdb
-rw-r--r-- 1 root root 6394 Nov 16 14:00 /var/lib/clamav/daily.wdb
-rw-r--r-- 1 root root 8689 Nov 16 14:00 /var/lib/clamav/daily.zmd
The old daily.inc is probably left over from an upgrade. I use
the freshclam scripts daily, but I'm not sure how to correct
this on the Redhat system. The other difference is Redhat
runs it as a cron, while Debian has a daemon.
Here is the daily cron I have on Redhat
#!/bin/sh
### A simple update script for the clamav virus database.
### This could as well be replaced by a SysV script.
### fix log file if needed
LOG_FILE="/var/log/clamav/freshclam.log"
if [ ! -f "$LOG_FILE" ]; then
touch "$LOG_FILE"
chmod 644 "$LOG_FILE"
chown amavis:amavis "$LOG_FILE"
fi
/usr/bin/freshclam \
--quiet \
--datadir="/var/clamav" \
--log="$LOG_FILE" \
--daemon-notify="/etc/clamd.conf"
Are there suggestions on what I should change so I get another version of
daily.ftm and other daily.* files as does the Debian configuration?
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
