You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Wolfgang Zeikat <wo...@desy.de> on 2007/07/24 15:00:02 UTC
Problem with clamav plugin
In SA 3.1.8, I am trying to use the clamav plugin from
http://wiki.apache.org/spamassassin/ClamAVPlugin
spamassassin -t -D output includes
dbg: ClamAV: Detected virus: Email.Stk.Gen596.Sanesecurity.07071900.pdf
It adds a header
X-Spam-Virus: Yes (Email.Stk.Gen596.Sanesecurity.07071900.pdf)
allright, but additional rules to check for sanesecurity "virus" names
are not matched.
Rules:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
Any suggestions what is going wrong?
Regards,
wolfgang
Re: Problem with clamav plugin
Posted by Wolfgang Zeikat <wo...@desy.de>.
On 07/24/07 15:43, OliverScott wrote:
> You need to set a high priority for the meta rules as otherwise they are
> evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in
> how SA works, but I eventually came up with the following solution (for
> using several different 3rd party clamav signatures):
>
> In your case you could fix what you have done (which looks to be taken from
> one of my previous messages while trying to get this to work myself?) by
> making it:
>
> header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
> priority __MY_CLAMAV 9999
> header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
> priority __MY_CLAMAV_SANE 9999
> meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
> score MY_CLAMAV_SANE 5
(typo fixed)
>
>
> Hope this helps!
Yes, it does! Thanks a lot,
wolfgang
Re: Problem with clamav plugin
Posted by Mandy <me...@gmail.com>.
On 7/24/07, OliverScott <ol...@fhsinternet.com> wrote:
>
>
> You need to set a high priority for the meta rules as otherwise they are
> evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert
> in
> how SA works, but I eventually came up with the following solution (for
> using several different 3rd party clamav signatures):
>
> This is my clamav.cf file:
>
> loadplugin ClamAV clamav.pm
> full CLAMAV eval:check_clamav()
> describe CLAMAV Clam AntiVirus detected something...
> score CLAMAV 0.001
>
> # Look for specific types of ClamAV detections
> header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i
> header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i
> header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/
> header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/
[snip]
While playing with this, I found that I needed to change my rules a little.
Some of the Sane security sigs were being picked up as viruses, due to the
"Sanesecurity" string being 22 (or so) characters away from the Yes at the
start of the X-Spam-Virus header.
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,30}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,30}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,30}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,30}MSRBL/
Thanks for your work on this, and hopefully this reduces false positives for
some folks.
RE: Re: Problem with clamav plugin
Posted by Jeroen Tebbens <je...@tebbens.net>.
You place the databases in the /var/lib/clamav (same default dir as the
standard databases for clamav). Reload clamav or wait till freshclam kicks
in.
/Jeroen
On Tue, 31 Jul 2007, Sujit Acharyya-Choudhury wrote:
>
> Thanks for the reply. How do you configure the databases) downloaded from Sanesecurity for use with spamassassin?
>
> Many thanks
>
> Sujit
>
> -----Original Message-----
> From: news [mailto:news@sea.gmane.org] On Behalf Of René Berber
> Sent: 30 July 2007 20:04
> To: users@spamassassin.apache.org
> Subject: Re: Problem with clamav plugin
>
> Sujit Acharyya-Choudhury wrote:
>
>> I am using clamav as our virus scanner on our mail gateway (exim).
>> This seems to discard lot of e-mails. Is there any benefit of using
>> clamav for spamassassin from Sanesecurity?
>
> There's no such thing.
>
> If you meant the plugin, the answer is no; Exim will stop anything detected as virus and the plugin will never receive one (it just wastes time).
>
> If you meant using the databases from Sanesecurity, the answer is yes. They add spam and additional phishing detection that clamd uses.
> --
> René Berber
>
>
>
RE: Re: Problem with clamav plugin
Posted by Sujit Acharyya-Choudhury <S....@westminster.ac.uk>.
Thanks for the reply. How do you configure the databases) downloaded from Sanesecurity for use with spamassassin?
Many thanks
Sujit
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of René Berber
Sent: 30 July 2007 20:04
To: users@spamassassin.apache.org
Subject: Re: Problem with clamav plugin
Sujit Acharyya-Choudhury wrote:
> I am using clamav as our virus scanner on our mail gateway (exim).
> This seems to discard lot of e-mails. Is there any benefit of using
> clamav for spamassassin from Sanesecurity?
There's no such thing.
If you meant the plugin, the answer is no; Exim will stop anything detected as virus and the plugin will never receive one (it just wastes time).
If you meant using the databases from Sanesecurity, the answer is yes. They add spam and additional phishing detection that clamd uses.
--
René Berber
Re: Problem with clamav plugin
Posted by René Berber <r....@computer.org>.
Sujit Acharyya-Choudhury wrote:
> I am using clamav as our virus scanner on our mail gateway (exim). This
> seems to discard lot of e-mails. Is there any benefit of using clamav
> for spamassassin from Sanesecurity?
There's no such thing.
If you meant the plugin, the answer is no; Exim will stop anything detected as
virus and the plugin will never receive one (it just wastes time).
If you meant using the databases from Sanesecurity, the answer is yes. They add
spam and additional phishing detection that clamd uses.
--
René Berber
RE: Problem with clamav plugin
Posted by Sujit Acharyya-Choudhury <S....@westminster.ac.uk>.
I am using clamav as our virus scanner on our mail gateway (exim). This
seems to discard lot of e-mails. Is there any benefit of using clamav
for spamassassin from Sanesecurity?
Regards
Sujit
-----Original Message-----
From: OliverScott [mailto:oliver@fhsinternet.com]
Sent: 24 July 2007 14:44
To: users@spamassassin.apache.org
Subject: Re: Problem with clamav plugin
You need to set a high priority for the meta rules as otherwise they are
evaluated BEFORE the ClamAV plugin is used (I think?). I am not an
expert in
how SA works, but I eventually came up with the following solution (for
using several different 3rd party clamav signatures):
This is my clamav.cf file:
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/
# Give the above rules a very late priority so that they can see the
output
# of previous rules - otherwise they don't work! Not sure what the
correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 9999
priority __CLAMAV_SANE 9999
priority __CLAMAV_MBL 9999
priority __CLAMAV_MSRBL 9999
# Work out what ClamAV detected and score accordingly
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE &&
!__CLAMAV_MBL && !__CLAMAV_MSRBL)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0
meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0
meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5
meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5
meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures
score CLAMAV_MSRBL 2.0
In your case you could fix what you have done (which looks to be taken
from
one of my previous messages while trying to get this to work myself?) by
making it:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priorty __MY_CLAMAV 9999
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priorty __MY_CLAMAV_SANE 9999
meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
Hope this helps!
--
View this message in context:
http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a1176322
7
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with clamav plugin
Posted by Wolfgang Zeikat <wo...@desy.de>.
On 07/24/07 15:43, OliverScott wrote:
> full CLAMAV eval:check_clamav()
> describe CLAMAV Clam AntiVirus detected something...
> score CLAMAV 0.001
If you don't want CLAMAV to score (high), apparently you can rename it
to __CLAMAV, works fine here.
To make the meta rule work too, I had to give it a higher priority
number than the header rules, so that my working clamav.cf is now:
loadplugin ClamAV /etc/mail/spamassassin/clamav.pm
full __CLAMAV eval:check_clamav()
describe __CLAMAV Clam AntiVirus detected a virus
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priority __MY_CLAMAV 9998
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priority __MY_CLAMAV_SANE 9998
meta MY_CLAMAV_SANE (__CLAMAV && __MY_CLAMAV_SANE)
priority MY_CLAMAV_SANE 9999
score MY_CLAMAV_SANE 5
wolfgang
Re: Problem with clamav plugin
Posted by OliverScott <ol...@fhsinternet.com>.
You need to set a high priority for the meta rules as otherwise they are
evaluated BEFORE the ClamAV plugin is used (I think?). I am not an expert in
how SA works, but I eventually came up with the following solution (for
using several different 3rd party clamav signatures):
This is my clamav.cf file:
loadplugin ClamAV clamav.pm
full CLAMAV eval:check_clamav()
describe CLAMAV Clam AntiVirus detected something...
score CLAMAV 0.001
# Look for specific types of ClamAV detections
header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i
header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i
header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/
header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/
# Give the above rules a very late priority so that they can see the output
# of previous rules - otherwise they don't work! Not sure what the correct
# priority should be but this seems to work...
priority __CLAMAV_PHISH 9999
priority __CLAMAV_SANE 9999
priority __CLAMAV_MBL 9999
priority __CLAMAV_MSRBL 9999
# Work out what ClamAV detected and score accordingly
meta CLAMAV_VIRUS (CLAMAV && !__CLAMAV_PHISH && !__CLAMAV_SANE &&
!__CLAMAV_MBL && !__CLAMAV_MSRBL)
describe CLAMAV_VIRUS Virus found by ClamAV default signatures
score CLAMAV_VIRUS 20.0
meta CLAMAV_PHISH (CLAMAV && __CLAMAV_PHISH && !__CLAMAV_SANE)
describe CLAMAV_PHISH Phishing email found by ClamAV default signatures
score CLAMAV_PHISH 10.0
meta CLAMAV_SANE (CLAMAV && __CLAMAV_SANE)
describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures
score CLAMAV_SANE 7.5
meta CLAMAV_MBL (CLAMAV && __CLAMAV_MBL)
describe CLAMAV_MBL Malware found by ClamAV MBL signatures
score CLAMAV_MBL 7.5
meta CLAMAV_MSRBL (CLAMAV && __CLAMAV_MSRBL)
describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures
score CLAMAV_MSRBL 2.0
In your case you could fix what you have done (which looks to be taken from
one of my previous messages while trying to get this to work myself?) by
making it:
header __MY_CLAMAV X-Spam-Virus =~ /Yes/i
priorty __MY_CLAMAV 9999
header __MY_CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,50}Sanesecurity/i
priorty __MY_CLAMAV_SANE 9999
meta MY_CLAMAV_SANE (__MY_CLAMAV && __MY_CLAMAV_SANE)
score MY_CLAMAV_SANE 5
Hope this helps!
--
View this message in context: http://www.nabble.com/Problem-with-clamav-plugin-tf4135813.html#a11763227
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.