On Fri, Nov 16, 2012 at 2:56 PM, francis picabia <fpica...@gmail.com> wrote: > I have a primary MX running Redhat, with postfix+amavisd+clamav > > I also have a secondary MX and SMTP gateway running Debian, with > postfix+amavisd-new+clamav > > Recently we adopted use of Sanesecurity additions, using the scamp script > on both MX and SMTP. > > Root receives virus notifications on the SMTP, and we've noticed some emails > which are not caught on inbound but are stopped on outbound, while tracing > the quarantined message demonstrates it was the same message, being > forwarded out of our domain by a sieve script on cyrus. > > This issue was discussed on the amavis mailing list, and Noel Jones > suggested the symptoms looked like a problem with .ftm files. > > I searched for such files, and on the Redhat system which sometimes misses > a Sanesecurity signature in incoming email, I have an old directory > /var/clamav/daily.inc dated 2008 and all files in there as old. > > # ls -l /var/clamav/daily.inc/ > total 3024 > -rw-r--r-- 1 amavis amavis 17992 Jan 4 2008 COPYING > -rw-r--r-- 1 amavis amavis 142 Apr 29 2008 daily.cfg > -rw-r--r-- 1 amavis amavis 26014 Apr 7 2008 daily.db > -rw-r--r-- 1 amavis amavis 5020 Apr 22 2008 daily.fp > -rw-r--r-- 1 amavis amavis 5642 May 1 2008 daily.ftm > -rw-r--r-- 1 amavis amavis 6798 May 2 2008 daily.hdb > -rw-r--r-- 1 amavis amavis 1224 Feb 6 2008 daily.hdu > -rw-r--r-- 1 amavis amavis 32 May 5 2008 daily.ign > -rw-r--r-- 1 amavis amavis 672 May 6 2008 daily.info > -rw-r--r-- 1 amavis amavis 2667216 May 6 2008 daily.mdb > -rw-r--r-- 1 amavis amavis 38567 May 4 2008 daily.mdu > -rw-r--r-- 1 amavis amavis 262690 May 6 2008 daily.ndb > -rw-r--r-- 1 amavis amavis 6935 Apr 29 2008 daily.ndu > -rw-r--r-- 1 amavis amavis 3218 Mar 27 2008 daily.pdb > -rw-r--r-- 1 amavis amavis 1454 Feb 28 2008 daily.wdb > -rw-r--r-- 1 amavis amavis 2922 Jan 4 2008 daily.zmd > > If I contrast that with the Debian system, it has more current files, > within the clamav directory. > > # ls -l /var/lib/clamav/daily.* > -rw-r--r-- 1 root root 383 Nov 16 14:00 /var/lib/clamav/daily.cfg > -rw-r--r-- 1 amavis amavis 18197504 Nov 15 22:32 /var/lib/clamav/daily.cld > -rw-r--r-- 1 root root 25391 Nov 16 14:00 /var/lib/clamav/daily.db > -rw-r--r-- 1 root root 40375 Nov 16 14:00 /var/lib/clamav/daily.fp > -rw-r--r-- 1 root root 8098 Nov 16 14:00 /var/lib/clamav/daily.ftm > -rw-r--r-- 1 root root 104981 Nov 16 14:00 /var/lib/clamav/daily.hdb > -rw-r--r-- 1 root root 2676 Nov 16 14:00 /var/lib/clamav/daily.hdu > -rw-r--r-- 1 root root 31677 Nov 16 14:00 /var/lib/clamav/daily.idb > -rw-r--r-- 1 root root 3958 Nov 16 14:00 /var/lib/clamav/daily.ign > -rw-r--r-- 1 root root 2471 Nov 16 14:00 /var/lib/clamav/daily.ign2 > -rw-r--r-- 1 root root 1873 Nov 16 14:00 /var/lib/clamav/daily.info > -rw-r--r-- 1 root root 83449 Nov 16 14:00 /var/lib/clamav/daily.ldb > -rw-r--r-- 1 root root 2373 Nov 16 14:00 /var/lib/clamav/daily.ldu > -rw-r--r-- 1 root root 16113730 Nov 16 14:00 /var/lib/clamav/daily.mdb > -rw-r--r-- 1 root root 64233 Nov 16 14:00 /var/lib/clamav/daily.mdu > -rw-r--r-- 1 root root 835302 Nov 16 14:00 /var/lib/clamav/daily.ndb > -rw-r--r-- 1 root root 824779 Nov 16 14:00 /var/lib/clamav/daily.ndu > -rw-r--r-- 1 root root 4094 Nov 16 14:00 /var/lib/clamav/daily.pdb > -rw-r--r-- 1 root root 6394 Nov 16 14:00 /var/lib/clamav/daily.wdb > -rw-r--r-- 1 root root 8689 Nov 16 14:00 /var/lib/clamav/daily.zmd > > The old daily.inc is probably left over from an upgrade. I use > the freshclam scripts daily, but I'm not sure how to correct > this on the Redhat system. The other difference is Redhat > runs it as a cron, while Debian has a daemon. > > Here is the daily cron I have on Redhat > #!/bin/sh > > ### A simple update script for the clamav virus database. > ### This could as well be replaced by a SysV script. > > ### fix log file if needed > LOG_FILE="/var/log/clamav/freshclam.log" > if [ ! -f "$LOG_FILE" ]; then > touch "$LOG_FILE" > chmod 644 "$LOG_FILE" > chown amavis:amavis "$LOG_FILE" > fi > > /usr/bin/freshclam \ > --quiet \ > --datadir="/var/clamav" \ > --log="$LOG_FILE" \ > --daemon-notify="/etc/clamd.conf" > > Are there suggestions on what I should change so I get another version of > daily.ftm and other daily.* files as does the Debian configuration?
OK, I've now learned I can extract the daily.* files from daily.cld using sigtool --unpack daily.cld This appears to be what the Debian system does when the freshclam daemon handles things. Should my Redhat cron do the same? _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
