Amavis and Clam scanning nested virus emails

Mark Martinec Mark.Martinec+amavis at ijs.si
Mon Jul 16 15:43:57 CEST 2012


Richard,

> In the setup of amavisd and clamav I am running it finds and marks the
> sample-virus-simple.txt as a virus. However, it doesn't pickup and mark
> the sample-virus-nested.txt test message as containing a virus. In the
> standard setup of amavisd and clamav is it suppose to pickup and mark nested
> virus emails?, I would have thought is should. The version I am using are
> Amavisd 2.7.2 and Clamav 0.97.5.2.
> When the logging verbose is turned up it shows the email is being unpacked
> into its individual parts but it seems only the whole email is being scanned
> not the individual parts. Is there an option to set or a setup that will make
> amavisd and clamav pickup nested virus emails?

Yes, most virus scanners (including clamd) are given a directory name
with decoded parts, each as a separate file. So yes, it is supposed
to detect it, unless you are using a non-default AV entry for clamd,
passing only a file parts/email.txt to it.

Show the log at level 5, if the above does not help explaining what
happened. Btw, the sample-virus-nested.txt contains a complicated
(and old) nesting structure, so if decoding at any level failed,
the bare-bones test pattern would not emerge.

   Mark


More information about the amavis-users mailing list