From clamav-users-bounces@lists.clamav.net Wed Jun 24 16:26:27 2009 Return-Path: X-Original-To: list@tad.clamav.net Delivered-To: list@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pHtfE8Hdg5b; Wed, 24 Jun 2009 16:26:27 +0200 (CEST) Received: from tad.clamav.net (localhost.localdomain [127.0.0.1]) by tad.clamav.net (Postfix) with ESMTP id 2A5AE31C006; Wed, 24 Jun 2009 16:26:24 +0200 (CEST) X-Original-To: clamav-users@tad.clamav.net Delivered-To: clamav-users@tad.clamav.net X-Virus-Scanned: Debian amavisd-new at tad.clamav.net Received: from tad.clamav.net ([127.0.0.1]) by localhost (tad.clamav.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNT8OKaWzZdj for ; Wed, 24 Jun 2009 16:26:20 +0200 (CEST) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by tad.clamav.net (Postfix) with ESMTP id E72EC31C005 for ; Wed, 24 Jun 2009 16:26:19 +0200 (CEST) Received: by fg-out-1718.google.com with SMTP id 13so253518fge.18 for ; Wed, 24 Jun 2009 07:26:19 -0700 (PDT) MIME-Version: 1.0 Received: by 10.86.31.19 with SMTP id e19mr1400418fge.24.1245853109633; Wed, 24 Jun 2009 07:18:29 -0700 (PDT) Date: Wed, 24 Jun 2009 10:18:29 -0400 Message-ID: From: Carlos Williams To: ClamAV users ML Subject: [Clamav-users] Problems Detecting Known Viruses X-BeenThere: clamav-users@lists.clamav.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: ClamAV users ML List-Id: ClamAV users ML List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: clamav-users-bounces@lists.clamav.net Errors-To: clamav-users-bounces@lists.clamav.net I just did a fresh install on Postfix, Amavisd-new, & Clamav on Debian. Now everything works great however I attempted to send a test virus from my new Postfix install running Clamd to this Gmail account and I never saw any sign emailed to me that a "virus was detected" from Clamav. I don't understand why. The message was never relayed to its final destination (this Gmail address) but I don't understand what happened. I checked my /var/log/mail.log to see if it reported anything strange about the message and I found the following: Jun 24 10:08:13 ham amavis[2663]: (02663-04) (!)PRESERVING EVIDENCE in /var/lib/amavis/tmp/amavis-20090623T190508-02663 Jun 24 10:08:13 ham postfix/smtp[7337]: 39CEF51B12: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.3, delays=0.05/0.01/0/1.3, dsn=4.5.0, status=deferred (host 127.0.0.1[127.0.0.1] said: 451-4.5.0 Error in processing, id=02663-04, virus_scan FAILED: virus_scan: ALL VIRUS SCANNERS FAILED: ClamAV-clamd av-scanner FAILED: CODE(0x24739e8) unexpected , output="/var/lib/amavis/tmp/amavis-20090623T190508-02663/parts: lstat() failed: Permission denied. ERROR 451-4.5.0 " at (eval 86) line 527.; ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan unexpected exit 1, output="WARNING: Ignoring deprecated option --disable-summary 451-4.5.0 LibClamAV Warning: *********************************************************** 451-4.5.0 LibClamAV Warning: *** This version of the ClamAV engine is outdated. *** 451-4.5.0 LibClamAV Warning: *** DON'T PANIC! Read http://www.clamav.net/support/faq *** 451-4.5.0 LibClamAV Warning: *********************************************************** 451-4.5.0 /var/lib/amavis/tmp/amavis-20090623T190508-02663/parts/p001: OK 451-4.5.0 /var/lib/amavis/tmp/amavis-20090623T190508-02663/parts/p005: Eicar-Test-Signature FOUND 451-4.5.0 451-4.5.0 ----------- SCAN SUMMARY ----------- 451-4.5.0 Known viruses: 575374 451-4.5.0 Engine version: 0.95.1 451-4.5.0 Scanned directories: 1 451-4.5.0 Scanned files: 2 451-4.5.0 Infected files: 1 451-4.5.0 Data scanned: 0.00 MB 451-4.5.0 Data read: 0.00 MB (ratio 0.00:1) 451 4.5.0 Time: 1.151 sec (0 m 1 s)" at (eval 86) line 527. (in reply to end of DATA command)) *************END************ Did I configure something wrong in ClamAV? I show the clamav-daemon is running however it's not configured or working right it seems. I normally expect to get an email back to me when I try and send this that says something like the following: A virus was found: Eicar-Test-Signature Scanner detecting a virus: ClamAV-clamd Content type: Virus Internal reference code for the message is 29980-15/CfkTsWN4wm5S First upstream SMTP client IP address: [10.1.1.204] tunafish.domain.us According to a 'Received:' trace, the message originated at: [10.1.1.204], [10.1.1.204] tunafish.domain.us [10.1.1.204] Return-Path: User-Agent: Thunderbird 2.0.0.21 (X11/20090409) Message-ID: <4A423313.9040606@domain.us> Subject: Data The message has been quarantined as: virus-CfkTsWN4wm5S Notification to sender will not be mailed. The message WAS NOT relayed to: : 250 2.7.0 Ok, discarded, id=29980-15 - VIRUS: Eicar-Test-Signature Virus scanner output: p005: Eicar-Test-Signature FOUND _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml