The subject tests shouldn't require AFC at all, as the subject comes early on in the message clamav should catch it normally.
I'm not sure if there's a debug option for the scanning or afc. You could turn on general debug, run the test then turn it off again. For clamd itself you might need to make sure the logging is configured for Windows: LogFile C:/ClamAv/Logs/clamd.log LogTime yes LogClean yes LogFileMaxSize 0 The latter two won't be needed for normal operation as they will produce larger log files. All the best, Colin Waring. -----Original Message----- From: K Post [mailto:[email protected]] Sent: 16 March 2015 15:28 To: ASSP development mailing list Subject: Re: [Assp-test] ClamAV win32 Sane Thank you Colin!! I have almost the same settings as yours. The only differnce is DoASSP_AFC is set to both. I tried yesterday with AFC off though, and it's still not caught. When tests 1 and 3 get caught, it does appear that the sane signatures are catching them: Mar-14-15 16:06:08 msg63566-10522 209.85.220.175 <[email protected]> to: [email protected] ClamAV: scanned 2232 bytes in whitelisted message - FOUND Sanesecurity.TestSig_Type4_Bdy.3.UNOFFICIAL Mar-14-15 16:06:08 msg63566-10522 209.85.220.175 <[email protected]> to: [email protected] Message-Score: added 50 (vdValencePB) for virus detected: 'Sanesecurity.TestSig_Type4_Bdy.3.UNOFFICIAL', total score for this message is now 35 Mar-14-15 16:06:08 msg63566-10522 [VIRUS] 209.85.220.175 <[email protected]> to: [email protected] [spam found] (virus detected: 'Sanesecurity.TestSig_Type4_Bdy.3.UNOFFICIAL') [3rd in body] -> messages/discarded/3rd_in_body--67.txt; But, yeah, when it's only the subject that has the test, I see AFC pluggin being called, but no hit! Not sure where else to look or what else to try. It's certainly not the end of the world, but I worry based on the Sane guy saying how important this one is - that headers are often what's in the signature files. On Mon, Mar 16, 2015 at 5:34 AM, Colin Waring <[email protected]> wrote: > Your log looks to me like the settings simply aren't calling Clam to > scan the message rather than clam missing the message. > > I have ScanWL, ScanNP, ScanLocal, ScanCC and UseAvClamd enabled and > you need to make sure that AvClamdPort is correct for your system. > DoASSP_AFC is set to enabled but only set to do attachments. If you > haven't got the main clam settings enabled, you'll need to make sure > that ASSP_AFCSelect is set to one of the options that scans the whole message. > > 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> info: found message size announcement: > 1.56 kByte > 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> IP 209.85.214.176 matches > whiteListedIPs - with 209.85.128.0/17 > 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> [SMTP Reply] 250 OK > 2015-03-15 15:34:57 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] [SMTP > Reply] > 250 Accepted > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] [SMTP > Reply] > 354 Enter message, ending with "." on a line by itself > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] Whitelisted > sender address: [email protected] for recipient [email protected] > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] > DKIM-Signature found > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] info: > domain gmail.com has published a DMARC record > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] ClamAV: > scanned 1774 bytes in whitelisted message - FOUND > Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe4646084 > 30ae9f:1774) > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] Message-Score: > added 50 (vdValencePB) for virus detected: > 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608 > 430ae9f:1774)', total score for this message is now 50 > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > [VIRUS] > 209.85.214.176 <[email protected]> to: [email protected] [spam > found] (virus detected: > 'Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608 > 430ae9f:1774)') > [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> > /usr/local/assp/store/quarantine/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp > 6b6fmPZpObZJA--571715.eml; > 2015-03-15 15:34:58 m1-33697-05727 [Worker_6] [TLS-in] [TLS-out] > 209.85.214.176 <[email protected]> to: [email protected] [SMTP > Error] > 554 5.7.1 Mail appears infected with > \[Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL(740814f660dc883f8fe464608430ae9f:1774)\]. > > All the best, > Colin Waring. > > -----Original Message----- > From: K Post [mailto:[email protected]] > Sent: 15 March 2015 18:32 > To: ASSP development mailing list > Subject: Re: [Assp-test] ClamAV win32 Sane > > Colin- > really, I'm just interested in the results of the 2nd test in your > log. I managed to get the html email one to be trapped - apparently > sending html mail from gmail is a bit different. From outlook it trapped it. > > The one where the spam string is in the subject however, doesn't seem > to be caught though. It looks like one of our bombre is scoring the > long subject. I don't now why that would stop a detection though. It > does look like the ASSP_AFC is being called (it was enabled for this test). > > > Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > Received-RWL: listed from list.dnswl.org; client-ip=209.85.220.177 > Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > Message-Score: added -2 for 209.85.220.0 in griplist (0.14), total > score for this message is now -42 > Mar-15-15 14:27:37 msg44055-12284 [DKIM] 209.85.220.177 > <[email protected]> to: [email protected] > [scoring] DKIM signature failed - none - sender policy is: neutral - > author policy > is: neutral > Mar-15-15 14:27:37 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > Message-Score: added 10 (dkimValencePB) for DKIM none, total score for > this message is now -32 > Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] info: > SenderBase - query using SenderBase > Mar-15-15 14:27:38 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > SenderBase -- used Senderbase -- country:US orgname:GOOGLE domain: > google.com > Mar-15-15 14:27:39 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] HMM > is not available - hmmdb is still locked by a rebuild task > Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > Bayesian Check [monitoring] - Prob: 1.00000 => spam > Mar-15-15 14:27:40 msg44055-12284 209.85.220.177 > <[email protected]> to: [email protected] > [Plugin] calling plugin ASSP_AFC > Mar-15-15 14:27:40 msg44055-12284 [MessageOK] 209.85.220.177 > <[email protected]> to: [email protected] > message ok > [rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby] -> > messages/okmail/rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJA--73 > .txt > > > I've got the sanesecurity.ftm database there, last modified 9/3/14 > > Thank you for your help! > > ---------------------------------------------------------------------- > -------- Dive into the World of Parallel Programming The Go Parallel > Website, sponsored by Intel and developed in partnership with Slashdot > Media, is your hub for all things parallel software development, from > weekly thought leadership blogs to news, videos, case studies, > tutorials and more. Take a look and join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > ---------------------------------------------------------------------- > -------- Dive into the World of Parallel Programming The Go Parallel > Website, sponsored by Intel and developed in partnership with Slashdot > Media, is your hub for all things parallel software development, from > weekly thought leadership blogs to news, videos, case studies, > tutorials and more. Take a look and join the conversation now. > http://goparallel.sourceforge.net/ > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test > ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
