In order to make sure you are getting the best out of the Sanesecurity signatures, you should follow the following three email tests and make sure that your email setup "passed" all three tests:
TEST 1 — Html.Sanesecurity.TestSig_Type3_Bdy Send a HTML formatted email to yourself with this text in the BODYof the email: body_rrg63uhj2ucyeccrux7d83a4qd5ua5vnlgwjp6b6fmpzpobzjabftehuhraxfbyzzzzz |
TEST 2 — Email.Sanesecurity.TestSig_Type4_Hdr Send an email to yourself with this text in the SUBJECT of the email: rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby |
TEST 3 — Email.Sanesecurity.TestSig_Type4_Bdy Send an email to yourself with this text in the BODY of the email: body_rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZ0ajdjkwjnSSDfsdfsdfnwerd |
Results
TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy FOUND
TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr FOUND
TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy FOUND
NOTE: TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.
If you cannot get the test to work, even after reading the next notes… ensure you have a copy of the sanesecurity.ftm file in the data/db area of ClamAV, otherwise please contact me and I can do some testing.
Notes for various mail filters
amavisd-new
Use key 'MAIL' in @keep_decoded_original_maps, e.g.:
@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));
You may find that you already have a '^MAIL$' token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.
For more information on the above, see this thread
Mail Scanner
You'll need to have this setting enabled:
ClamAV Full Message Scan = yes
and you may also need the following patch (which will be included in the next version of MailScanner:
— /root/v4/NEWSTABLE/mailscanner/bin/MailScanner/SweepViruses.pm 2009-01-11 19:27:02.000000000 +0000 +++ SweepViruses.pm 2009-01-25 16:24:33.000000000 +0000 @@ -2724,6 +2724,8 @@ $file =~ s/^(./)?$BaseDir/?//; $file =~ s/^.///; my ($id,$part) = split ///, $file, 2; + # JKF 20090125 Full message check. + $part = "" if $id =~ s/.(message|header)$//; # Only log the whole message if no attachment has been logged MailScanner::Log::InfoLog("%s", $logline) |
Qmail-Scanner
You need to make sure the "–redundant yes" option is enabled – which makes Qmail-Scanner pass the entire message to AVs for scanning.
mimedefang-filter
Only the body is scanned by default, unless you call md_copy_orig_msg_to_work_dir() just before the call to message_contains_virus().