Dave,
Adding --scan-mail=no to the command line yielded the results we were looking
for. Thanks!
Regards,
Anthony
Hamlin & Burton
LIABILITY MANAGEMENT
Anthony Magrone
IT Administrator
321.972.0121
hamlinandburton.com
Corporate Offices: Orlando, Florida
615 Crescent Executive Court, Suite 212, Lake Mary, FL 32746
Confidentiality and HIPAA Compliance Notice: This e-mail message, including any
attachments, is intended for the named recipient(s) and may contain information
that is (i) proprietary to the sender, and/or, (ii) privileged, confidential
and/or otherwise exempt from disclosure under applicable state and federal law,
including, but not limited to, privacy and security standards imposed pursuant
to the federal Health Insurance Portability and Accountability Act of 1996
("HIPAA"). Receipt by anyone other than the named recipient(s) is not a waiver
of any applicable privilege. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or duplication of
this communication is strictly prohibited. If you are not the intended
recipient, please contact the sender by reply email and destroy all copies of
the original message.
-----Original Message-----
From: clamav-users-boun...@lists.clamav.net
[mailto:clamav-users-boun...@lists.clamav.net] On Behalf Of David Raynor
Sent: Wednesday, December 11, 2013 6:03 PM
To: ClamAV users ML
Subject: Re: [clamav-users] Hourly warning from autoclam-hourly script
On Wed, Dec 11, 2013 at 10:30 AM, Anthony Magrone <
anthonymagr...@hamlinandburton.com> wrote:
> I am running the latest release of ClamAV on CentOS 6.4.
>
> The script /opt/server-config/nfs-server/scripts/autoclam-hourly is
> sending an email with the message "LibClamAV Warning: cli_tnef: file
> truncated, returning CLEAN" every hour. I haven't found any reference
> online regarding how to either disable or resolve this warning.
>
> Any assistance would be greatly appreciated.
>
> Regards,
> Anthony
>
> Hamlin & Burton
> LIABILITY MANAGEMENT
>
> Anthony Magrone
> IT Administrator
>
> 321.972.0121
> hamlinandburton.com<http://www.hamlinandburton.com/>
>
> Corporate Offices: Orlando, Florida
> 615 Crescent Executive Court, Suite 212, Lake Mary, FL 32746
> ________________________________ Confidentiality and HIPAA Compliance
> Notice: This e-mail message, including any attachments, is intended
> for the named recipient(s) and may contain information that is (i)
> proprietary to the sender, and/or, (ii) privileged, confidential
> and/or otherwise exempt from disclosure under applicable state and
> federal law, including, but not limited to, privacy and security
> standards imposed pursuant to the federal Health Insurance Portability
> and Accountability Act of 1996 ("HIPAA"). Receipt by anyone other
> than the named recipient(s) is not a waiver of any applicable
> privilege. If you are not the intended recipient, you are hereby
> notified that any review, dissemination, distribution or duplication
> of this communication is strictly prohibited. If you are not the
> intended recipient, please contact the sender by reply email and
> destroy all copies of the original message.
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> http://www.clamav.net/support/ml
>
There must be a TNEF [Transport Neutral Encapsulation Format] file that is
triggering it during your scans. The message is at warning level and is being
scraped by the script and sent to you. It is not reporting the filename because
(as it says) the file is being simply treated as clean.
That is because this message is caused by a parsing problem, not an alert.
You have some choices. Do whatever is most appropriate for your environment.
Option A) Change the file
1) Do some investigation to identify the individual file that is causing this,
with targeted scans.
2) Either remove it or modify it or exclude it.
Option B) Change the configuration
1) Disable parsing mail format files
2) If the script is using clamscan, add --scan-mail=no to the command line
3) if the script is using clamd, add a line that says "ScanMail no" in your
clamd.conf
4) These will still scan the mailbox files, but will not try to parse messages.
Option C) Change the code
1) Patch the code and run your own build
2) Change line 116 in libclamav/tnef.c from "cli_warnmsg" to "cli_dbgmsg"
to downgrade the message and quiet the warning
Option D) Change the script to change how you handle all ClamAV warnings or
just this particular warning.
Hope this helps,
Dave R.
--
---
Dave Raynor
Sourcefire Vulnerability Research Team
dray...@sourcefire.com
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/support/ml
