On Sat, 2004-05-22 at 11:16, Josh Berry wrote:
> I never was able to get ClamAV working either. They below configuration
> deletes every single attachment on my system whether is has a virus or
> not.
I've had ClamAV running for almost a year now it works great with Anomy.
I went about it by adding support for ClamAV to the script
"check_for_virus". That makes things easier. I have a patch, which is
available here: http://aleeacademy.org/patches/anomy-clamav.patch
Note: The patch uses the ClamAV daemon. Look at the bottom of the
message for the reason why.
For my filters, first I have it quarantine exe's, pif's, scr's, etc. The
second rule sets a few allowed data types such as gif, jpeg, etc. The
third rule scans files that have legitimate uses but can carry viruses,
such as doc, xls, zip, etc. If something scans positive it gets
quarantined. Anything that doesn't meet the above gets passed though
ClamAV and gets quarantined if infected. Here's my config:
# quarantine attachments that are not safe
file_list_1 = (?i)(winmail.dat)|
file_list_1 += (\.(exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp
file_list_1 += |ms[ip]|reg|sct|inf|asd|cab|sh[sb]|scr|cpl|chm
file_list_1 += |ws[fhc]|hta|vcd|vcf|eml|nws))$
file_list_1_policy = save
file_list_1_scanner = 0
# allow certain file types through
file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps
file_list_2 += |p(df|cx)|bmp
file_list_2 += |mp[32]|wav|au|ram?
file_list_2 += |avi|mov|mpe?g
file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
file_list_2 += |[ja]sp
file_list_2 += |patch|diff
file_list_2 += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$
file_list_2_policy = accept
file_list_2_scanner = 0
# scan potentially dangerous files for viruses and quarantine
# if infected
file_list_3 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|html
file_list_3 += |class|swf|upd|wp\d?|m?db
file_list_3 += |z(ip|oo)|ar[cj]|lha|[tr]ar|pdf|rpm|deb|slp|tgz
file_list_3 += )(\.g?z|\.bz\d?)*$
file_list_3_policy = accept:accept:save:save
file_list_3_scanner = 0:2:3:/opt/anomy/bin/check_for_virus %FILENAME
# scan everything else and quarantine if infected
file_list_4 = (?i)(.*)
file_list_4_policy = defang:defang:save:save
file_list_4_scanner = 0:2:3:/opt/anomy/bin/check_for_virus %FILENAME
This is why I use ClamAV's daemon. The first is the standalone scanner
and the second is the daemon scanner.
$ time clamscan --disable-summary att-data.doc.exe-40ad317a.ZA
att-data.doc.exe-40ad317a.ZA: Worm.SomeFool.P FOUND
real 0m2.661s
user 0m2.450s
sys 0m0.200s
$time clamdscan --disable-summary att-data.doc.exe-40ad317a.ZA
att-data.doc.exe-40ad317a.ZA: Worm.SomeFool.P FOUND
real 0m0.013s
user 0m0.000s
sys 0m0.010s