Your log looks to me like the settings simply aren't calling Clam to scan the message rather than clam missing the message.
I have ScanWL, ScanNP, ScanLocal, ScanCC and UseAvClamd enabled and you need to make sure that AvClamdPort is correct for your system. DoASSP_AFC is set to enabled but only set to do attachments. If you haven't got the main clam settings enabled, you'll need to make sure that ASSP_AFCSelect is set to one of the options that scans the whole message. 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> info: found message size announcement: 1.56 kByte 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> IP 209.85.214.176 matches whiteListedIPs - with 209.85.128.0/17 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> [SMTP Reply] 250 OK 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] [SMTP Reply] 250 Accepted 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] [SMTP Reply] 354 Enter message, ending with "." on a line by itself 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] Whitelisted sender address: [email protected] for recipient [email protected] 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] DKIM-Signature found 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] info: domain gmail.com has published a DMARC record 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] ClamAV: scanned 1774 bytes in whitelisted message - FOUND Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774) 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)', total score for this message is now 50 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] [VIRUS] 209.85.214.176 <[email protected]> to: [email protected] [spam found] (virus detected: 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)') [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> /usr/local/assp/store/quarantine/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJA--571715.eml; 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] 209.85.214.176 <[email protected]> to: [email protected] [SMTP Error] 554 5.7.1 Mail appears infected with \[Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)\]. All the best, Colin Waring. -----Original Message----- From: K Post [mailto:[email protected]] Sent: 15 March 2015 18:32 To: ASSP development mailing list Subject: Re: [Assp-test] ClamAV win32 Sane Colin- really, I'm just interested in the results of the 2nd test in your log. I managed to get the html email one to be trapped - apparently sending html mail from gmail is a bit different. From outlook it trapped it. The one where the spam string is in the subject however, doesn't seem to be caught though. It looks like one of our bombre is scoring the long subject. I don't now why that would stop a detection though. It does look like the ASSP_AFC is being called (it was enabled for this test). Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] Received-RWL: listed from list.dnswl.org; client-ip=209.85.220.177 Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] Message-Score: added -2 for 209.85.220.0 in griplist (0.14), total score for this message is now -42 Mar-15-15 14:27:37 msg44055-12284 [DKIM] 209.85.220.177 <[email protected]> to: [email protected] [scoring] DKIM signature failed - none - sender policy is: neutral - author policy is: neutral Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] Message-Score: added 10 (dkimValencePB) for DKIM none, total score for this message is now -32 Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] info: SenderBase - query using SenderBase Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] SenderBase -- used Senderbase -- country:US orgname:GOOGLE domain:google.com Mar-15-15 14:27:39 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] HMM is not available - hmmdb is still locked by a rebuild task Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] Bayesian Check [monitoring] - Prob: 1.00000 => spam Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 <[email protected]> to: [email protected] [Plugin] calling plugin ASSP_AFC Mar-15-15 14:27:40 msg44055-12284 [MessageOK] 209.85.220.177 <[email protected]> to: [email protected] message ok [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> messages/okmail/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJA--73.txt I've got the sanesecurity.ftm database there, last modified 9/3/14 Thank you for your help! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
