On Wed, Dec 11, 2013 at 10:30 AM, Anthony Magrone < anthonymagr...@hamlinandburton.com> wrote:
> I am running the latest release of ClamAV on CentOS 6.4. > > The script /opt/server-config/nfs-server/scripts/autoclam-hourly is > sending an email with the message "LibClamAV Warning: cli_tnef: file > truncated, returning CLEAN" every hour. I haven't found any reference > online regarding how to either disable or resolve this warning. > > Any assistance would be greatly appreciated. > > Regards, > Anthony > > Hamlin & Burton > LIABILITY MANAGEMENT > > Anthony Magrone > IT Administrator > > 321.972.0121 > hamlinandburton.com<http://www.hamlinandburton.com/> > > Corporate Offices: Orlando, Florida > 615 Crescent Executive Court, Suite 212, Lake Mary, FL 32746 > ________________________________ > Confidentiality and HIPAA Compliance Notice: This e-mail message, > including any attachments, is intended for the named recipient(s) and may > contain information that is (i) proprietary to the sender, and/or, (ii) > privileged, confidential and/or otherwise exempt from disclosure under > applicable state and federal law, including, but not limited to, privacy > and security standards imposed pursuant to the federal Health Insurance > Portability and Accountability Act of 1996 ("HIPAA"). Receipt by anyone > other than the named recipient(s) is not a waiver of any applicable > privilege. If you are not the intended recipient, you are hereby notified > that any review, dissemination, distribution or duplication of this > communication is strictly prohibited. If you are not the intended > recipient, please contact the sender by reply email and destroy all copies > of the original message. > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > http://www.clamav.net/support/ml > There must be a TNEF [Transport Neutral Encapsulation Format] file that is triggering it during your scans. The message is at warning level and is being scraped by the script and sent to you. It is not reporting the filename because (as it says) the file is being simply treated as clean. That is because this message is caused by a parsing problem, not an alert. You have some choices. Do whatever is most appropriate for your environment. Option A) Change the file 1) Do some investigation to identify the individual file that is causing this, with targeted scans. 2) Either remove it or modify it or exclude it. Option B) Change the configuration 1) Disable parsing mail format files 2) If the script is using clamscan, add --scan-mail=no to the command line 3) if the script is using clamd, add a line that says "ScanMail no" in your clamd.conf 4) These will still scan the mailbox files, but will not try to parse messages. Option C) Change the code 1) Patch the code and run your own build 2) Change line 116 in libclamav/tnef.c from "cli_warnmsg" to "cli_dbgmsg" to downgrade the message and quiet the warning Option D) Change the script to change how you handle all ClamAV warnings or just this particular warning. Hope this helps, Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team dray...@sourcefire.com _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
