PDA

View Full Version : ClamAV can be bypassed

hastlaug
8th April 2006, 02:50
Hi,

I'm not sure if this has been already mentioned here, but I found out that trashscan, the antivirus script, can easily skipped - the virus author just has to add a line "X-Virus-Scan: " to the header of the infected mail and this mail won't even be looked at by ClamAV.

This issue was first mentioned bei James Lick in june 2004 - and I'm quite shocked that trashscan is still used in ISPConfig.

Is there something I'm missing?

If not, then I'd suggest the usage of clamassassin - I just installed it and integrated it into the procmail files, and it works. I just have to figure out if sender/recipient notifications are possible.

So, my question: Is this a known problem? Or is this completely new to you? Is there another solution?

btw: trashscan seems to fail on some tests from http://www.webmail.us/testmail - while clamassassin only ignores non-virus tests...

Best regards and thx in advance!
falko
8th April 2006, 14:13
Thanks for the hint. We will check this.
hastlaug
8th April 2006, 16:12
I forgot posting the correpsonding url to the issue:

http://www.gossamer-threads.com/lists/engine?post=9548;list=clamav

The suggestion to add a hostname or domain isn't sufficient I guess... this might also be figured out and faked, although it's much safer than using a hard coded standard header.
hastlaug
11th April 2006, 23:49
Already found out sth.? :-)
hastlaug
11th April 2006, 23:50
ok, just saw the new release, forget my last post :)
thx for the fast fix ;)
falko
12th April 2006, 12:17
Yes, it's fixed now. We've replaced trashscan with clamassassin in ISPConfig 2.2.1. :)
MathieuMa
12th April 2006, 16:42
Hi,

It seems the upgrade process don't change the configs to use clamassassin.
Curently running on debian perfect setup, upgraded from the previous release.

NB : Just restarted postfix, seems the config file was changed.
If that's the case, all my humble appologies :p

Mathieu
falko
13th April 2006, 00:27
It seems the upgrade process don't change the configs to use clamassassin.
Curently running on debian perfect setup, upgraded from the previous release.

Users continue to use the old procmail recipes until you update them in ISPConfig so that their configuration files get rewritten. If you change some settings for existing users in ISPConfig or create new users, they will use clamassassin from now on.