clamav (under amavis) not filtering out viruses!

Nikolaos Milas nmilas at noa.gr
Thu Oct 15 14:26:20 CEST 2020


On 15/10/2020 2:48 μ.μ., Dominic Raferd wrote:

> It is unlikely that clamav is not reading its official databases, but
> it is very rare for viruses to be found through the official
> databases, so the hits you will see in the real world will come from
> the unofficial databases (which need to be updated regularly too).
> Worth checking your clamav settings (e.g. in /etc/clamav/clamd.conf).

Dominic, thanks for you feedback.

I use the scamp script (as I described) for additional definitions. 
Databases seem to be updated fine.

So you think that my installed databases might simply be inefficient to 
identify the viruses we are receiving?

Do you have any suggestions on additional reliable definition databases? 
Which would you suggest to add and how?

Please advise!

> I think you need to revisit your settings for
> @virus_name_to_spam_score_maps.

I remember I had made this configuration because we were having false 
positives and I had found an article regarding this approach, which I 
decided to follow.

This doesn't seem to be the problem, because the infected attachments 
are simply found CLEAN; they do not belong in this class (which is 
converted to spam).

Note that the only mail message that was identified as "AV infection" 
turned "into a spam report" was the test message I sent, deliberately 
infected with EICAR-test-virus signature.

Cheers,
Nick



More information about the amavis-users mailing list