Hi All,
My qmail-scanner is working but it cannot capture viruses (even it is EICAR
virus test file). Here is my "very standard" quarantine-attachments.txt
(same as quarantine-attachments.db). My ClamAV version 0.67 has the most
updated database.
I used option below to configure the qmail-scanner:
./configure --admin myname --domain mydomain.com --scanners
clamscan --notify "sender" --unzip yes
Please tell me what I did the mistake. Your answer is very appreciated.
Thx & Rgds,
Awie
# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited.
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# Format: three columns
#
# filename<TAB>size (in bytes)<TAB>Description of virus/whatever
#
# OR:
#
# string<TAB>Header<TAB>Description of virus/whatever
#
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe 0 Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3 0 MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use this to ban any file (i.e. *.*) that's over
# a certain size - you should
# "echo 10000000 > /var/qmail/control/databytes"
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow
# you to block Email viruses when you don't know anything else other than
# there's a wierd Subject line (or From line, or X-Spanska: header, ...).
# Note that it's a case-sensitive, REGEX string, and the system will
# automatically surround it with ^ and $ before matching. i.e. if you
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast Virus-Subject: Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>, except that the header names are MAILFROM and RCPTTO only.
#
# e.g.
#
# [EMAIL PROTECTED] Virus-MAILFROM: Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match
# actions against the IP address of the SMTP client.
#
EICAR.COM 69 EICAR Test Virus
Happy99.exe 10000 Happy99 Trojan
zipped_files.exe 120495 W32/ExploreZip.worm.pak virus
ILOVEYOU Virus-Subject: Love Letter Virus/Trojan
message/partial.* Virus-Content-Type: Message/partial MIME
attachments blocked by policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,} Virus-Date: MIME Header Buffer Overflow
.{100,} Virus-Mime-Version: MIME Header Buffer Overflow
.{100,} Virus-Resent-Date: MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Virus-To: BadTrans Trojan exploit!
#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
.vbs 0 VBS files not allowed per Company security policy
.lnk 0 LNK files not allowed per Company security policy
.scr 0 SCR files not allowed per Company security policy
.wsh 0 WSH files not allowed per Company security policy
.hta 0 HTA files not allowed per Company security policy
.pif 0 PIF files not allowed per Company security policy
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after
# this file is modified
# ******
#
# EOF
