amavisd-new fails to block viruses with backup scanner (clamscan)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
amavisd-new (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Jaunty |
Won't Fix
|
High
|
Unassigned | ||
Karmic |
Fix Released
|
High
|
Unassigned |
Bug Description
Binary package hint: amavisd-new
When all primary scanners fail (specifically I was testing clamav), amavis tries to run some predefined backup scanners (in my case it is clamscan). There is a config file in /etc/amavis/conf.d named 15-av_scanners, which has all the primary and backup scanner definitions.
After trying out clamd with a test virus email (which got detected ok), I disabled clamd, so amavis would switch to clamscan, then I sent the same test mail (2 attachments, one with EICAR test signature and one clean file). Amavis failed to block the email with the following error:
May 16 10:41:01 utest-kk amavis[32558]: (32558-02) (!!)run_av (ClamAV-clamscan) FAILED - unexpected exit 1, output=
Notice the 'unexpected exit 1' message, which is the return code for clamscan when it FINDS a virus. The only problem is, amavisd doesn't get that because (IMHO) the faulty regexp in the config which does not match on the above clamscan output.
['ClamAV-
"--stdout --no-summary -r --tempdir=$TEMPBASE {}",
[0], qr/:.*\sFOUND$/, qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
[0] - is the expected return code when NO viruses are found
qr/:.*\sFOUND$/ - this should match when viruses ARE found, but it doesn't, so amavis gets confused by the exit code
Amavis only finds the virus if the _last_ part/attachment of the email is infected, like this:
May 16 10:39:20 utest-kk amavis[32559]: (32559-01) run_av: /usr/bin/clamscan exit 1, /var/lib/
Notice the order in which the email 'parts' are scanned (p005 is the last one and the above regexp matches).
This got fixed upstream in amavis 2.6.3 (amavisd.conf in the tarball) but I only found something in the changelog (no reference to a bug):
"- added missing /m flags to regular expressions in AV entries
(a bug is revealed with Perl 5.10.0; previous versions of Perl happened
to work, unintentionally accepting a /m flag if added late during a regexp
evaluation); reported by Rafael;"
But the Debian package in testing (2.6.2-2) still has the older 15-av_scanners config file which isn't fixed. There is a closed Debian bug http://
Debian changelog of 2.6.3-1 doesn't mention changes to av_scanner config either.
Note: on default postfix+amavis content scanner, the infected mail remains in the mail queue with a 450 temporary error code.
This also affects Jaunty (2.6.2-2ubuntu2) and Intrepid (2.6.1.
It doesn't seem to affect Hardy (2.5.3-1ubuntu3) or Dapper (2.3.3-3).
TEST CASE:
- install postfix + clamav + amavisd-new (content scanner to postfix)
- install spamassassin on Karmic (see Debian bug http://
- configure amavisd as follows (in /etc/amavis/conf.d)
- 15-av_scanners: disable clamd scanner, and make sure clamscan is enabled (in av_scanners_backup)
- 15-content_
- 50-user: set $myhostname
- send a test email with multiple attachments, one of them the EICAR test virus (from http://
- see it fail in the mail.log with above error message
description: | updated |
description: | updated |
Changed in amavisd-new (Ubuntu Jaunty): | |
status: | Confirmed → Won't Fix |
Talked to Debian package maintainer and he gave me an updated 15-av_scanners file for testing, and if all goes well, we can merge the new unstable package from Debian.
http:// people. debian. org/~formorer/ 15-av_scanners
I'll update the report after testing.