[Qmail-scanner-general]clamuko timeout results in virus being allowed through

Wed, 21 Jan 2004 10:23:11 -0800

I've just had a virus delivered to my inbox, which is quite concerning as it's passed through the qmail/scanner/clamav server. When I check the logs, they reveal something worrying:

Wed, 21 Jan 2004 14:55:48 +0000:31954: d_m: unpacking message took 0.300488 seconds
Wed, 21 Jan 2004 14:55:48 +0000:31954: unsetting QMAILQUEUE env var
Wed, 21 Jan 2004 14:55:48 +0000:31954: g_e_h: return-path is "[EMAIL PROTECTED]", recips is "[EMAIL PROTECTED]"
Wed, 21 Jan 2004 14:55:48 +0000:31954: from="Microsoft Corporation Customer Support" <[EMAIL PROTECTED]>,subj=Last Internet Critica
l Upgrade, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via smtp from 195.67.199.133
Wed, 21 Jan 2004 14:55:48 +0000:31954: ini_sc: start scanning
Wed, 21 Jan 2004 14:55:48 +0000:31954: ini_sc: recursively scan the directory /var/spool/qmailscan/mailscan107469694845631954/
Wed, 21 Jan 2004 14:55:48 +0000:31954: scanloop: starting scan of directory "/var/spool/qmailscan/mailscan107469694845631954"...
Wed, 21 Jan 2004 14:55:48 +0000:31954: scanloop: scanner=clamuko_scanner,plain_text_msg=0
Wed, 21 Jan 2004 14:55:48 +0000:31954: clamuko: starting scan of directory "/var/spool/qmailscan/mailscan107469694845631954"...
Wed, 21 Jan 2004 14:55:48 +0000:31954: run /usr/local/bin/clamdscan -r --disable-summary --max-recursion=10 --max-space=1000000 /var/spool/qm
ailscan/mailscan107469694845631954 2>&1
Wed, 21 Jan 2004 14:55:48 +0000:31954: --output of clamuko was:
Session(0): Time out ERROR

To me, that looks like clamav has timed out, and qmail-scanner has let the message through unchecked. Admittedly it is a slow machine (p-pro 200) and it's due to be replaced within a week, but I assume the same situation could arise on a heavily loaded but better spec'd machine. Would it not be more secure for the message to be re-scanned in the event of clamav timing out?

I don't know whether I should be sending this message to this list, or the clamav people, but I guess it's down to qmail-scanner to deal with timeouts better than just giving up.



-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to