[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vps-mail] VPS2 - various hassles with clamav & procmail

Subject: Re: [vps-mail] VPS2 - various hassles with clamav & procmail
From: Scott Wiersdorf <scott@xxxxxxxxxxxx>
Date: Fri, 26 Mar 2004 21:56:32 -0700

On Fri, Mar 26, 2004 at 08:13:26PM -0800, Abigail Marshall wrote:
> 1. SA is working o.k., but I'm seeing this lock file logging error
> repeatedly:
> 
> > procmail: Lock failure on "/var/mail/spam.lock"

Perhaps you've dropped privileges already? What are the permissions
on /var/mail?

> 2.  ClamAV - seems to have caught one virus, but the ClamAV
> log looks like this:
> 
> Possible virus Exploit.IFrame.Gen FOUND
> procmail: Lock failure on "/var/mail/quarantine/clamav.lock"
> procmail: Error while writing to "/var/mail/quarantine/clamav"
> 
> Permissions for the file are set to 777.

Way too loose. If /var/mail/quarantine is owned by root, and you're
running this from /usr/local/etc/procmailrc, it should be fine at 755
or 700, even.

If you're running from a .procmailrc file or after DROPPRIVS=yes,
you'll likely not have success unless the uid is the same as the
directory owner.

> 3. Just a note:
> ClamAV also failed to catch several instances of
> W32.Netsky.D - the headers on these emails show:
> X-ClamAV: clean
> 
> This appears to be an issue with ClamAV - because it also
> came up negative on the online scanner at
> http://www.gietl.com/test-clamav/
> 
> Symantec says this virus was discovered March 1, 2004.
> 
> So basically I'm just noting that ClamAV is obviously is not
> all that reliable.

Make sure your db is up to date (via freshclam). It may also be that
netsky is known under a different name for clamav (each av vendor
comes up with a new name). Finally, it also may be that clamav simply
doesn't scan for this particular virus--it's happened before.

We've mentioned on the list before that clamav is a good first line
of defense, but does not replace a scanner for Windows clients. Anyone
running Windows should use some av as a rule.

Fwiw, clamav is often the first scanner for some viruses, but of
course not all (as you have discovered). You might want to lurk on the
clamav-users list to see why.

Scott
-- 
Scott Wiersdorf
scott@xxxxxxxxxxxx
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).

References:
- [vps-mail] VPS2, newbie questions
  - From: Abigail Marshall
- Re: [vps-mail] VPS2, newbie questions
  - From: Abigail Marshall
- Re: [vps-mail] VPS2, newbie questions
  - From: Scott Wiersdorf
- [vps-mail] VPS2 - various hassles with clamav & procmail
  - From: Abigail Marshall

Prev by Date: [vps-mail] VPS2 - various hassles with clamav & procmail
Next by Date: [vps-mail] Sendmail stopped working - any suggestions??
Previous by thread: [vps-mail] VPS2 - various hassles with clamav & procmail
Next by thread: [vps-mail] ClamAV Daemon....you were right, Scott
Index(es):
- Date
- Thread

Main Index | Thread Index