New Server on RH8.0

Rick Stevens rstevens at vitalstream.com
Sat May 15 00:53:34 UTC 2004


Karl Perason wrote:
> <quote who="Rick Stevens">
> 
>>1.3?  ClamAV's current release is 0.70.  That being said, if you're
>>running clamd and scanning via clamav-milter, yes.  Any incoming stuff
>>is run through clamAV if you're using that.  As for RPMs, I dunno.  I
>>don't use them myself as they typically lag behind the releases too
>>much.  I'm a tarball-build-install kind of guy.
> 
> 
> Duh. 0.65-4 currently. I've been an rpm guy so I can see what's there by
> doing rpm -qa|grep whatever
> 
> I'll get the .70 so I can install milter and have it run stdin for email
> scanning. Is there a better option out there?

Whoa!  milter ties into sendmail directly--there's no stdin scanning
involved.

Anything going through sendmail gets filtered.  clamd runs in the
background listening on a named pipe (or socket, you choose).  Sendmail
feeds the messages as they come in through clamav-milter.  For most
sections, it does nothing.  For the data section, clamav-milter sends
the data to clamd for scanning.  clamd returns back a code indicating
good or bad.  If bad, you can have it bounce or toss the message (I opt
for toss--why bounce a Bagel worm when you know the sender address is
bogus?).

>>Remember that an "mbox" is one file.  clamscan doesn't pull it apart,
>>purge the infection and put it back together--it deletes the _file_
>>(which happens to be "mbox").  For the "--remove" to only delete the
>>infected message, you need to be scanning a MailDir-style mail account.
> 
> 
> Drat. That's what I'd do. It's really not that hard:
> 
> Parse the file, find the virus, reverse to the previous "From " and delete
> that line until the next "From " is found. done.

Yes, but that's not what it does.  It doesn't know that the file is a
collection of messages.  It just deletes the file containing the virus.
Unfortunately, that's your entire inbox.

If you want to add mbox-filtering capability to it, I'm sure the clamav
folk would LOVE to have your patches, if there aren't some already
(check the "contrib" directory of the tarball).

> 
> 
>>Note that ClamAV 0.70 no longer has clamscan.  It has clamdscan, which
>>is a client for clamd.  It doesn't support the "--mbox" option.  You
>>must have "ScanMail" option set in clamd.conf for that to work.
> 
> 
> Interestingly enough, clamav.conf HAS ScanMail as an option to set for
> this version. Of course it doesn't do anything. It's also got an email
> notify option, which doesn't seem to work either. I have viruses on my
> mail server and know right where they are, but nothing gets reported...
> I'm pretty sure I just need to set things up right. I'm pretty new to this
> thing still, so should have it figured out soon enough.

I'm not sure what ScanMail does in clamd.conf under 0.65.  Since I use
clamav-milter on sendmail, I really don't care as the stuff is cleaned
out on the fly.  "Message coming in...hey! It's a worm!  Toss it."
There's no need to rescan mailboxes.

> Thanks Rick. Glad to see you are still on the list.

I'm an assistant sysop, no less!  I'm like that piece of gum on the
bottom of your shoe.  No matter how hard you try, bits of me stick!
;-)
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-   Never test for an error condition you don't know how to handle.  -
----------------------------------------------------------------------





More information about the Redhat-install-list mailing list