[Maia-users] virus scan fails when it shouldn't
Greg Woods
woods at ucar.edu
Mon Aug 6 14:18:29 PDT 2007
I am running Maia 1.0.1 using ClamAV as the scanner. What I am seeing is
that some phishing spams that should be caught are making it through.
This first came to my attention when one of our divisions reported that
their mail server has been catching some of these (they use the
SpamAssassin plugin to run ClamAV rather than amavisd). If I take one of
these messages, save it to a file, and run clamscan on it, it does find
it to be infected with "Email.Phishing.RB-1217", so I can be fairly sure
this isn't a freshclam or database problem. As usual, the first step is
to turn amavisd logging up to max verbisoty. Here are what I think are
the relevant lines (I can send the entire mess on request):
Aug 6 14:23:18 nscan1 amavis[7177]: (07177-01) WARN: all primary virus
scanners failed, considering backups
Aug 6 14:23:18 nscan1 amavis[7177]: (07177-01) Using
(ClamAV-clamscan): /usr/bin/clamscan --stdout --disable-summary -r
--tempdir=/var/amavis/tmp /var/amavis/tmp/amavis-20070806T142318-07177/parts
Aug 6 14:23:18 nscan1 amavis[7177]: (07177-01) run_command:
[7192] /usr/bin/clamscan --stdout --disable-summary -r
--tempdir=/var/amavis/tmp /var/amavis/tmp/amavis-20070806T142318-07177/parts </dev/null 2>&1
Aug 6 14:23:19 nscan1 amavis[7177]: (07177-01)
run_av: /usr/bin/clamscan exit 0
, /var/amavis/tmp/amavis-20070806T142318-07177/parts/p001: OK
Aug 6 14:23:19 nscan1 amavis[7177]: (07177-01) run_av
(ClamAV-clamscan): clean
and, since I have used a test alias that has no spam filtering enabled:
Aug 6 14:23:19 nscan1 amavis[7177]: (07177-01) Passed CLEAN,
[128.117.10.112] [128.117.32.211] <woods at ucar.edu> -> <testit at ucar.edu>,
Message-ID: <002e01c7d733$18ee8fe0$209e9c81 at ytyr.zdhsc>,
Resent-Message-ID: <Pine.LNX.4.64.0708061053570.29052 at acd.ucar.edu>,
Hits: -, 1311 ms
Now, if I go look in the temp directory for this run, I see:
[root at nscan1 amavis-20070806T142318-07177]# ls -R
.:
email.txt parts
./parts:
[root at nscan1 amavis-20070806T142318-07177]#
There's nothing in the parts directory. If I run clamscan on the
email.txt file, it does find the phishing "virus":
[root at nscan1 amavis-20070806T142318-07177]# clamscan email.txt
email.txt: Email.Phishing.RB-1217 FOUND
Why does the scanner work when run independently, but fail when run out
of amavisd? Shouldn't the email.txt file also be scanned? Why isn't it
(the logs appear to show that it is not?)
The initial WARN in the logs only occurs if I comment out the definition
of 'ClamAV-clamd' in amavisd.conf and uncomment 'Mail::ClamAV' instead
(probably don't have that perl module installed). If I leave it with the
clamd scanner defined, the result looks like:
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) Using ClamAV-clamd:
(built-in interface)
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) ask_av (ClamAV-clamd):
query template1: CONTSCAN {}\n
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) Using (ClamAV-clamd) on
dir: CONTSCAN /var/amavis/tmp/amavis-20070806T140753-06161/parts\n
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) ClamAV-clamd: Connecting
to socket /var/run/clamav/clamd
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) ClamAV-clamd: Sending
CONTSCAN /
var/amavis/tmp/amavis-20070806T140753-06161/parts\n to UNIX
socket /var/run/clamav/clamd
Aug 6 14:07:53 nscan1 amavis[6161]: (06161-01) ask_av (ClamAV-clamd)
result: /var/amavis/tmp/amavis-20070806T140753-06161/parts: OK\n
It still passes the message and doesn't scan email.txt .
Any ideas what is happening here or what else I can do to debug this?
Thanks,
--Greg
More information about the Maia-users
mailing list