Signature Testing

In order to make sure you are getting the best out of the Sanesecurity signatures, you should follow the following three email tests and make sure that your email setup "passed" all three tests:

Results

TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy FOUND
TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr FOUND
TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy FOUND

NOTE: TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.

If you cannot get the test to work, even after reading the next notes… ensure you have a copy of the sanesecurity.ftm file in the data/db area of ClamAV, otherwise please contact me and I can do some testing.

Notes for various mail filters

amavisd-new

Use key 'MAIL' in @keep_decoded_original_maps, e.g.:

@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

You may find that you already have a '^MAIL$' token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.

For more information on the above, see this thread

Mail Scanner

You'll need to have this setting enabled:

ClamAV Full Message Scan = yes

and you may also need the following patch (which will be included in the next version of MailScanner:

Qmail-Scanner

You need to make sure the "–redundant yes" option is enabled – which makes Qmail-Scanner pass the entire message to AVs for scanning.

mimedefang-filter

Only the body is scanned by default, unless you call md_copy_orig_msg_to_work_dir() just before the call to message_contains_virus().