Re: [AMaViS-user] known virus not detected

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Andrea,

| I'm running amavisd-new 20030616_p7 on gentoo with clamav 0.67. Recently
| some infected emails have passed the checks. Saving the content of the
| email and using the online checker of clam it is a known virus. Running
| clamscan on the mail server it is detected as a virus. 
| 
| (20505-03) Checking for banned (contents-based) file types, 2 parts
| (20505-03) Using Clam Antivirus-clamd: (built-in interface)
| (20505-03) Clam Antivirus-clamd: Connecting to socket  /var/amavisd/clamd
| (20505-03) Clam Antivirus-clamd: Sending CONTSCAN /var/run/amavis/amavis-
| 20040414T125940-20505/parts\n to UNIX socket /var/amavisd/clamd 
| (20505-03) Clam Antivirus-clamd result: /var/run/amavis/amavis-20040414T125940-
|   20505/parts: OK\n

If clamscan detects a virus, so should the clamd. They are using the 
same database. Did you run clamscan on the same directory (parts)
containing the same two decoded files, or did you feed it the entire 
mail? ClamAV detects some viruses only if given the entire context.
This can be requested by:

  $keep_decoded_original_re = new_RE(
    qr'^MAIL$',   # retain full original message for virus checking
    ...

See if it makes a difference with your mail sample.

  Mark