>>>
> On Wed, 2 Dec 2020, Joe Acquisto-j4 wrote:
>
>> Hacking away, seem to have it working?, Using CLAMAVPlugin. At least mail
>> does not appear "broken".
>>
>> But EICAR is not detected. I "think" it is being scanned as I see this:
>>
>> *********************************
>> X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on auxilary
>> X-Spam-Level: *
>> X-Spam-Status: No, score=1.0 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
>> HTML_MESSAGE,SPOOFED_FREEMAIL_NO_RDNS,TVD_SPACE_RATIO autolearn=no
>> autolearn_force=no version=3.4.2
>> X-Spam-Virus: _CLAMAVRESULT
>> X-Spam-Report:
>> * -1.5 BAYES_00 BODY: Bayes spam probability is 0 to 1%
>> * [score: 0.0000]
>> * 1.0 FREEMAIL_FROM Sender email is commonly abused enduser mail
>> * provider (joe.acquisto[at]gmail.com)
>> * 0.0 HTML_MESSAGE BODY: HTML included in message
>> * 0.0 TVD_SPACE_RATIO No description available.
>> * 1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
>> *************************
>>
>> Is that proof it is being scanned and the non detection issue lies
> elsewhere?
>>
>> joe a.
>
> What, specifically, is the config you're using to invoke CLAMAVPlugin?
I followed using some guess work, the blurb I found on the spamassassin site
where I found CLAMVPlugin. Not reall clear for a slowing noob.
I had to look up how to compile the required perl package, which went without
fuss, copied and pasted the "config" files noted, only adding read rights (for
root)
as something complained about no access and edited the "socket" path to what
CLAMD claims it uses.
And restarted spamd and clamd. That's it.
> You need to have at least two things set up in your spamassassin config
> files:
> 1) load the plugin in a "v*.pre"
> 2) invoke the check_clamav() procedure
>
> EG:
> in v320.pre
>
> # AntiVirus - some simple anti-virus checks, this is not a replacement
> # for an anti-virus filter like Clam AntiVirus
> #
> #loadplugin Mail::SpamAssassin::Plugin::AntiVirus
> #
> loadplugin ClamAV /usr/local/etc/mail/spamassassin/plugins/clamav.pm
>
> Note that line depends on the path to where you've installed the plugin
>
> In a ".cf" rules file (I call mine clamav.cf ):
>
> #
> # config file for using the ClamAV plugin "clamav.pm"
> #
> full L_CLAMAV eval:check_clamav()
> describe L_CLAMAV Clam AntiVirus detected a virus
> score L_CLAMAV 5
> #
> header T__MY_CLAMAV X-Spam-Virus =~ /Yes/i
> header T__MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> #
>
>
I was wondering at how the "magic" happened. Found this in v.310.pre,
no other references to clam found in the pre files or local.cf.:
# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
# AWL - do auto-whitelist checks
#
#loadplugin Mail::SpamAssassin::Plugin::AWL
# AntiVirus - some simple anti-virus checks, this is not a replacement
# for an anti-virus filter like Clam AntiVirus
#
#loadplugin Mail::SpamAssassin::Plugin::AntiVirus
# AWL - do auto-whitelist checks
#
#loadplugin Mail::SpamAssassin::Plugin::AWL
