Dallman Ross wrote:
[...]
Now that I have an actual working copy of clamscan (as of a few
hours ago we got it to compile right on NetBSD), I am not so
sure
that actually works.
Mea culpa on this one, but it seems my testing methodology is
flawed. Short answer: I started this discussion on the
spamassassin list, moved it here as we got into details on
procmail, and now find that there are some clamav-specific
questions I need to ask... on THAT list. I'll summarize here if I
get detailed answers. clamav CAN work with procmail, but there are
some gotchas. Much of the work spent trying to "optimize" it by
avoiding external shell and perl scripts may have led to other
problems. ROLLING YOUR OWN SOLUTION REQUIRES CAREFUL CRAFTING AND
TESTING.
The long answer:
I'd tested as follows:
1. I has saved versions of infected messages saved off on disk
(msg.YnDD).
2. I verified clamdscan found the infected content:
# clamdscan msg.YnDD
/home/spamd/test.virus/msg.YnDD: Worm.Gibe.F FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.012 sec (0 m 0 s)
3. I re-sent the message to my test account:
# procmail -d bobg < msg.YnDD
4. I verfied that the procmailrc caught and filed the infected
message appropriately:
X-Virus-Status: Yes, Worm.Gibe.F FOUND
Yet based on Dallman's last message, I did more testing with the
infected executable:
# clamdscan Q952162.exe
/home/spamd/test.virus/Q952162.exe: Worm.Gibe.F FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.087 sec (0 m 0 s)
# mime-construct --subject "test message" --to
bobg(_at_)ttlexceeded(_dot_)com --prelude "This is a test
message." --encoding "8bit" --type "text/plain" --file
prelude.txt --encoding "base64" --type
"application/x-msdownload" --file Q952162.exe
# echo "Testing clamdscan" | mutt -s "Testing vscan" -a
Q952162.exe bobg
Both result in: X-Virus-Status: No
Yes, it doesn't give error messages, but
does it really ID viruses?
Interestingly enough, after I finally got things (seemingly)
working, I didn't get any more infected messages so can't say for
sure how it'd react "in the wild." I DO actually have a 2nd layer
of protection (anomy sanitizer) as well as desktop (Windows) AV
software.
So far on mailed copies of the virus
I can't get clamscan to poz-id just a body, because the MIME
stuff is still there.
% sed '1,/^$/d' netsky | clamscan --disable-summary -
stdin: OK
Compare:
% cat netsky | clamscan --mbox --disable-summary -
/var/tmp//b0a202c66c91ce8c/topseller.zip23664a: Worm.SomeFool
FOUND
In examining the headers from the ORIGINAL infected message, I
see:
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="wwjtpnewvjajkb"
In my hand-crafted variants, I see:
(from mutt):
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="dDRMvlgZJXvWKvBx"
Content-Disposition: inline
(from mime-construct):
MIME-Version: 1.0 (mime-construct 1.8)
Content-Type: multipart/mixed; boundary=courtesan
Content-Transfer-Encoding: 8bit
Given my admittedly weak understanding of MIME-encoding details,
perhaps there's something significant in the headers of "crafted"
messages that's missing in "wild" infected versions?
In any case, it's now clear to me that:
1. While clamav and procmail are both powerful tools, a clear
understanding of both for things like stopping viruses is
essential.
2. In the pursuit to "optimize performance" (see my long-winded
previous posts on variations of calling clamdscan), one mustn't
forget to cover one's butt. Sometimes safe is better than fast.
3. A tool designed specifically to facilitate scanners and the
like (such as anomy sanitizer) takes a LOT of the headaches out of
this process, at the penalty of performance. I was actually in the
process of testing sanitizer (with good results, but PLEASE don't
trust me!) when Dallman's message arrived this evening.
The "best" tool will depend on the performance/reliability
tradeoffs that are acceptable.
Sorry for any false-starts! Any kicks in the pants pointing out
where I went wrong are most appreciated.
(Yes, I know that was a useless cat.)
I'll avoid the cat jokes and pet my dog instead.
- Bob
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail