failure of all virus scanners

Wed Jun 15 15:07:18 CEST 2011

On Wed, Jun 15, 2011 at 02:30:54PM +0200, Ralf Hildebrandt wrote:
> * Ralf Hildebrandt <Ralf.Hildebrandt at charite.de>:
> > How can I safely handle the case of all virus scanners failing?
> > 
> > In the release notes I'm seeing:
> > 
> > - a failure of all virus scanners no longer automatically tempfails the
> >   operation, but flags a message with a CC_UNCHECKED contents category
> >   (just like a failure of decoders/dearchivers), and allows the usual
> >   controls (*_destiny, *_quarantine_*) to be used to configure behaviour;
> >   for example:
> >   
> >   $final_unchecked_destiny = D_TEMPFAIL;
> >   $unchecked_quarantine_method = 'local:unchecked/%m.gz';
> > 
> > I want to catch the case of a virus pattern update gone wrong -- right
> > now all the mails pass unchecked, I'd rather tempfail them. On the
> > other hand - what about encrypted mails which cannot be scanned
> > anyway? How can I let those pass?
> 
> Looking at the categories I see no way of distinguishing an encrypted
> archive (which should be passed) from a generic "all scanners have
> failed" error (which should cause a tempfail).
> 
> ...
> Jun 15 10:05:08 mail amavis[3999]: (03999-08) p003 1/2 Content-Type: application/x-zip-compressed, size: 12791 B, name: 3618_error_log_20110615.zip
> Jun 15 10:05:08 mail amavis[3999]: (03999-08) do_unzip: p003, 1 members are encrypted, none extracted, archive retained
> Jun 15 10:05:09 mail amavis[3999]: (03999-08) FWD from <SIBE at novonordisk.com> -> <Andreas.Hueser at charite-research.org>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10026): 250 2.0.0 Ok: queued as 3QvL455jGWzFvq5
> Jun 15 10:05:09 mail amavis[3999]: (03999-08) Passed UNCHECKED {RelayedInbound}, [217.16.101.214]:40793 [127.0.0.1] <SIBE at novonordisk.com> -> <Andreas.Hueser at charite-research.org>, Message-ID: <7FDA82A7CD7EB24E81BF85C74CAF8E0E4708A59A79 at exdkmbx022.corp.novocorp.net>,mail_id: 60xc9rwqiz5V, Hits: -1.899, size: 26319, queued_as: 3QvL455jGWzFvq5, 905 ms
> ...
> 

Given that ClamAV has some signatures for encrypted zip viruses, seems
pointless trying to make such complex setup.  Either your scanner works or
it doesn't, you should put effort making sure of that.