ClamWIn ZIP Files NO GO???

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Locked
cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

ClamWIn ZIP Files NO GO???

Post by cgountanis » 2005-07-01 20:24

I send COM file seperate and it works. I send zip file and the virus test file gets through fine.


"DEBUG" 2680 "2005-07-01 13:22:14.984" "SocketConnection::SocketConnection()"
"DEBUG" 2680 "2005-07-01 13:22:15.156" "Message added. File: C:\Program Files\hMailServer\Data\{1C2F0B3D-A454-4D06-8BE9-EFBBE10E00A7}.eml"
"DEBUG" 2680 "2005-07-01 13:22:17.671" "Messages::Save()"
"DEBUG" 2680 "2005-07-01 13:22:17.671" "Messages::Save() - Message iteration."
"DEBUG" 2680 "2005-07-01 13:22:17.671" "PMADO:SaveObject()"
"DEBUG" 2680 "2005-07-01 13:22:17.671" "Adding message to database. File: C:\Program Files\hMailServer\Data\{1C2F0B3D-A454-4D06-8BE9-EFBBE10E00A7}.eml"
"DEBUG" 2680 "2005-07-01 13:22:17.703" "PMADO:~SaveObject()"
"DEBUG" 2680 "2005-07-01 13:22:17.703" "Messages::~Save()"
"DEBUG" 2680 "2005-07-01 13:22:17.703" "SocketConnection::~SocketConnection()"
"DEBUG" 2384 "2005-07-01 13:22:17.734" "PersistentMessage::ReadObject()"
"DEBUG" 2384 "2005-07-01 13:22:17.734" "PersistentMessage::~ReadObject()"
"DEBUG" 2680 "2005-07-01 13:22:17.734" "SD:DeliverMessage"
"DEBUG" 2680 "2005-07-01 13:22:17.734" "ClamWinVirusScanner::Scan()"
"DEBUG" 2680 "2005-07-01 13:22:20.109" "ClamWinVirusScanner::Scan() - C:\ClamWin\bin\clamscan.exe --tempdir='C:\ClamWin\temp' --database='C:\ClamWin\db' --include='{1C2F0B3D-A454-4D06-8BE9-EFBBE10E00A7}.eml' - Returned 0"
"DEBUG" 2680 "2005-07-01 13:22:20.125" "ClamWinVirusScanner::~Scan()"
"DEBUG" 2680 "2005-07-01 13:22:20.125" "ClamWinVirusScanner::Scan()"
"DEBUG" 2680 "2005-07-01 13:22:22.765" "ClamWinVirusScanner::Scan() - C:\ClamWin\bin\clamscan.exe --tempdir='C:\ClamWin\temp' --database='C:\ClamWin\db' --include='{3B45761E-FEC8-47E7-A3FF-F4F862F7CAC1}.tmp' - Returned 0"
"DEBUG" 2680 "2005-07-01 13:22:22.765" "ClamWinVirusScanner::~Scan()"
"DEBUG" 2680 "2005-07-01 13:22:22.796" "PMADO:CopyMailContentsFrom()"
"DEBUG" 2680 "2005-07-01 13:22:22.796" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 2680 "2005-07-01 13:22:22.796" "PMADO:SaveObject()"
"DEBUG" 2680 "2005-07-01 13:22:22.796" "Adding message to database. File: DELETED{14469003-C228-4711-9333-701AA6561146}.eml"
"DEBUG" 2680 "2005-07-01 13:22:22.843" "PMADO:~SaveObject()"
"DEBUG" 2680 "2005-07-01 13:22:22.843" "PersistentMessage::DeleteObject()"
"DEBUG" 2680 "2005-07-01 13:22:22.859" "PersistentMessage::DeleteFile()"
"DEBUG" 2680 "2005-07-01 13:22:22.875" "PersistentMessage::~DeleteFile() - E3"
"DEBUG" 2680 "2005-07-01 13:22:22.875" "PersistentMessage::DeleteObject() - E5"
"DEBUG" 2680 "2005-07-01 13:22:22.875" "SD:~DeliverMessage"

cmurphy54
Senior user
Senior user
Posts: 550
Joined: 2004-09-25 22:11
Location: Atlanta, GA
Contact:

Post by cmurphy54 » 2005-07-01 20:45

ClamWin v0.85.1 successfully scans both com and zip files for me and blocks accordingly. I've held off on v0.86 because there have been some complaints about issues on the forum. Is anyone successfully using v0.86 to scan zip files?

Some users who have had problems scanning zip files have reinstalled ClamWin and had it begin working. Perhaps that is worth a shot.

kermitfla3640
Normal user
Normal user
Posts: 45
Joined: 2005-05-01 17:13
Location: USA

ClamAV (sosdg version)

Post by kermitfla3640 » 2005-07-01 23:37

Tested ClamAV 0.86.1-1 (ClamAV devel-20050625/963/Fri Jul 1 09:27:29 2005) with .zip attachments. It seems to work 99.0% of the time. ClamAV seems to miss the test sig 1 out of ever 100 email messages.. Not sure if this is all related to clam, but it seem to be looking so. Also, I noticed that the way clam is called could be a little better which may fix the 1 miss. Instead of scanning the directory and excluding everything but the new message, just scan the email it self.

Current way:
<ClamAVExePath> --database='<ClamAVDatabasePath>' --include='<Messagetoscan>'

Better way:
<ClamAVExePath> --database='<ClamAVDatabasePath>' '<Messagetoscan>'

This will cause clam to only scan 1 thing, not search the directory looking for a file. The end result is a faster scanner.



---------------------------------------------
OS: Windows 2000 Server SP4
hMailServer: 3.4.1-B86
ClamAV: 0.86.1 (sosdg build)

http://www.sosdg.org/clamav-win32/index.php

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-01 23:43

Clam works fine command line on same file but in hmailserver it only gets the com???

I use ClamWin Free Antivirus 0.86.1 released batch sched task the fresk for updates everyday works fine. I am almost perfect but need to catch zips and maybe rar and would be 100% satisfied.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-07-02 11:11

cgountanis:
I couldn't get ClamWin 0.86.1 to work with hMailServer at all? Did it really find your eicar.com when you tested it?

kermitfla3640:
I can't really remember why I chosed the --include option instead of just specifying the message. Specifying message should probably give better performance. Do you know if specifying the message works with older versions of ClamWin? Or no idéa. I'm thinking of changing it..

abgar
Normal user
Normal user
Posts: 93
Joined: 2005-03-23 09:33
Location: Warsaw, Poland

Post by abgar » 2005-07-02 11:29

I also have similiar problems with Clamwin. Thats why I asked for NOD32 integration help

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-07-02 12:29

I've put up a new 4.0 build (122) that has a modified command line as suggested by kermitfla3640. But this didn't solve the problem for me that .zip-files were not scanned.

When calling ClamWin, hMailServer instructs ClamWin what Temp-folder to use by specifying --tempdir in the command line. But even if hMailServer specifies C:\Windows\Temp as command line, ClamWin tries to write to a folder named C:\tmp on my computer. The problem only occurs when running as a Windows Service (which hMailServer service ofcourse does). When running from the command prompt, ClamWin doesn't try to write to tmp.

cgountanis:
Can you try creating a folder named C:\tmp, send the zip file again and then check if the ZIP-scanning works?

If that solves it, I ask the guys in the ClamWin forum about this.

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 20:37

ClamWin 0.86.1
HMailServer 4.3.1 B86

hMailSettings:
EXE: C:\ClamWin\bin\clamscan.exe --tempdir='C:\ClamWin\temp'
DB: C:\ClamWin\db


Nice Tip!!!
I moved the db to C:\ClamWin\db to keep things simple. I run a sheduled task to update the db every morning. Sample BAT and freshclam.cfm below.

****
BATCHFILE:
C:\ClamWin\bin\freshclam --datadir=C:\ClamWin\db --config-file=C:\ClamWin\bin\fresh.cfg

fresh.cfg:
DatabaseDirectory C:\ClamWin\db
UpdateLogFile C:\ClamWin\db\freshclam.log
LogVerbose
DatabaseMirror database.clamav.net

****




I installed Clamwin to C:\ClamWin made a temp diectory in that folder "'C:\ClamWin\temp'". I also made tmp on the C:\tmp as suggested above. EVERYTHING has added SYSTEM full rights. Seems like ZIP files are now detected but now the single files are not caught like basic .com files get through but a zip containing the .com get deleted. This is really messing my brain up. Sometimes when you send the test virus and check email real quick right after neither get detected (might be a process thing).

OK this is *** up?!?!?

I created the C:\tmp with added system rights as stated above and did the same for c:\temp now it seems to catch COM and ZIP files accordingly. Also, the 'C:\ClamWin\temp' directory and commandline addition are still needed. Seems like it uses tmp for zip and temp for non-zip like just .com files. The command line temp is needed or else you get file locking again and nothing is detected. Shed some light?

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 20:42

Mabye I am wrong. I sent a zip containing com, .com by itself and a zip containing com/.com combo email and the zip emails detected but the com by itself got through :) I am lost.

kermitfla3640
Normal user
Normal user
Posts: 45
Joined: 2005-05-01 17:13
Location: USA

Post by kermitfla3640 » 2005-07-02 20:43

I do not use ClamWin.. I use the 'cygwin port' (sosdg). It does not have a GUI interface, is optimized for PIII or better and is way more stable. The scanner does scan .zip files and if I had a rar program, it would also do those. The latest build (0.86.1-1) is having issues with scanning mail files correctly (At least that is what I think), compared to 0.85 which was 100% working using hMailServer.

As for the --include option, clamAV has (at least since v 0.65) supported just specify the file and not using the --include option. Perhaps this is special for the ClamWin port :?:

An idea/suggestion: Make some space on the configuration tab for the admins to specify command line option(s). Maybe have some default options that the user can change, but if they don't it will still work.

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 20:46

so confused I will try the sosdg version

kermitfla3640
Normal user
Normal user
Posts: 45
Joined: 2005-05-01 17:13
Location: USA

Post by kermitfla3640 » 2005-07-02 20:53

cgountanis: It almost sounds like you do not have the registry values for Clam (cygwin).. So it is trying to use the defaults which are off the C drive.

This is what I have (note the you will have to change the path to meet yours) This 'should' instruct clam to use the tmp path you provide, however ClamWin (the one with the GUI) does not always play by the same rules as the other ports of Clam. I would highly recommend that you drop the ClamWin and go to the ClamAV (sosdg version). They do a direct port of the app and has the same setup and operation as the pure ClamAV for *nix.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions]

[HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin]

[HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2]

[HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/tmp]
"native"="C:\\clamav-devel\\tmp"
"flags"=dword:0000000a

[HKEY_LOCAL_MACHINE\SOFTWARE\Cygnus Solutions\Cygwin\Program Options]

[HKEY_USERS\.DEFAULT\SOFTWARE\Cygnus Solutions]

[HKEY_USERS\.DEFAULT\SOFTWARE\Cygnus Solutions\Cygwin]

[HKEY_USERS\.DEFAULT\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2]

[HKEY_USERS\.DEFAULT\SOFTWARE\Cygnus Solutions\Cygwin\mounts v2\/tmp]
"native"="C:\\clamav-devel\\tmp"
"flags"=dword:0000000a

[HKEY_USERS\.DEFAULT\SOFTWARE\Cygnus Solutions\Cygwin\Program Options]

(Don't forget the double blackshash for the path or it will not work correctly :!: )

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 21:07

***Before I started I uninstalled CLamWin and cleaned up registry
Cygnus Solutions in USER and MACHING software level.


You know what! I switched to sosdg http://www.sosdg.org/clamav-win32/index.php and everything works perfect now. Every combination I can think of zip and plain files all detected 100%. No temp folders other than the sosdg installer made needed or command line params in hMailServer.

I am running:
ClamAV For Windows 0.86.1-1
hMailServer 4.3.1 B86

ClamWin (in hMailServer tab works for ClamAV as well) settings:
EXE: C:\ClamAV\bin\clamscan.exe
DB: C:\ClamAV\db


Updating DB with scheduled task using batch file and fresh.cfg as exampled above but of course with directory name change for ClamAV over ClamWin. Works great!

Thanks for all the imput love hMAilServer and I will be donating regularly as this product and Clam have made my email serving needs super awesome :)
Last edited by cgountanis on 2005-07-02 21:15, edited 1 time in total.

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 21:11

cgountanis wrote:EXE: C:\ClamAV\bin\clamscan.exe

is now:
C:\ClamAV\bin\clamscan.exe --no-summary --block-encrypted --detect-broken


I added --no-summary --block-encrypted --detect-broken to the exe as command line param as kermit suggested.

Thanks all!

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-07-02 22:04

This thread sure is confusing.. :)

I have no problems with ClamWin 0.86.1 with hMailServer 4.0 build 122 if I just create the C:\tmp directory that ClamWin obviously requires to scan zip-files.

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Post by GlenC » 2005-07-02 22:56

Just to add my .02 (and thus make it even mooore confusing). You can install SOSDG to use as your hmail scanning antivirus.

You can additionally install Clamwin, configure the file locations to point to the installed SOSDG directories (i.e clamscan, freshclam, and the AV database) and you now the advantage of the GUI, automatic updates, and the ability to run CLAMD (thus using clamdscan vs. clamscan).

If you do it this way, be sure and rename or remove cygwin1.dll from the C:\Program Files\Clamwin directory or you might end up with a conflict.

I've been running this way for a while and it's been trouble free for me.

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-02 23:52

basically everything works perfect now with sosdg as stated above thanks all

large
New user
New user
Posts: 27
Joined: 2004-12-31 12:47
Contact:

Post by large » 2005-07-08 13:46

Hmz, that is pretty strange. I think I found the error that some have people are seem to get and it is clamwin/av fault.

I changed to sosdg hoping that it would fix all of my problems but no. I sendt myselv the eicar emails and let those email stay as *.eml files in the data diretory. Here is the output from my DOS-prompt:
C:\Program Files\hMailServer\Data\werner.no\large>C:\ClamAV\bin\clamscan.exe -v
--tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" --include="{5B647886-918D-4E
FB-8DCB-8B277E01380D}.eml
"
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{0193164B-59B5
-4D08-8A39-794DFD4C0881}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{0193164B-59B5-4D08-8
A39-794DFD4C0881}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{177F6396-B325
-4A24-A1DD-C52146F01F57}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{177F6396-B325-4A24-A
1DD-C52146F01F57}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{2F94DD3A-2355
-4674-A24D-C112D657C5AE}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{2F94DD3A-2355-4674-A
24D-C112D657C5AE}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{413846C1-2C14
-45B2-BE75-1C379F51BD91}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{413846C1-2C14-45B2-B
E75-1C379F51BD91}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-918D
-4EFB-8DCB-8B277E01380D}.eml
: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-918D-4EFB-8
DCB-8B277E01380D}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{A4426E5E-65DA
-4790-8EAB-3B3F22B2083C}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{A4426E5E-65DA-4790-8
EAB-3B3F22B2083C}.eml: Excluded
ERROR: /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{EB893FF6-2578
-44C3-8CED-2A237AEEA4F3}.eml: Could not parse regular expression {5B647886-918D-
4EFB-8DCB-8B277E01380D}.eml.
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{EB893FF6-2578-44C3-8
CED-2A237AEEA4F3}.eml: Excluded

----------- SCAN SUMMARY -----------
Known viruses: 36392
Engine version: devel-20050625
Scanned directories: 1
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 2.324 sec (0 m 2 s)
Now as you can see the regular expression is failed. Now I tried it with a search without the regexp:
C:\Program Files\hMailServer\Data\werner.no\large>C:\ClamAV\bin\clamscan.exe -v
--database="C:/ClamAV/db/"
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{0193164B-59
B5-4D08-8A39-794DFD4C0881}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{0193164B-59B5-4D08-8
A39-794DFD4C0881}.eml: OK
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{177F6396-B3
25-4A24-A1DD-C52146F01F57}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{177F6396-B325-4A24-A
1DD-C52146F01F57}.eml: Eicar-Test-Signature FOUND
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{2F94DD3A-23
55-4674-A24D-C112D657C5AE}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{2F94DD3A-2355-4674-A
24D-C112D657C5AE}.eml: Eicar-Test-Signature FOUND
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{413846C1-2C
14-45B2-BE75-1C379F51BD91}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{413846C1-2C14-45B2-B
E75-1C379F51BD91}.eml: OK
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-91
8D-4EFB-8DCB-8B277E01380D}.eml

/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-918D-4EFB-8
DCB-8B277E01380D}.eml: OK
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{A4426E5E-65
DA-4790-8EAB-3B3F22B2083C}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{A4426E5E-65DA-4790-8
EAB-3B3F22B2083C}.eml: OK
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{EB893FF6-25
78-44C3-8CED-2A237AEEA4F3}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{EB893FF6-2578-44C3-8
CED-2A237AEEA4F3}.eml: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 36392
Engine version: devel-20050625
Scanned directories: 1
Scanned files: 7
Infected files: 3
Data scanned: 0.00 MB
Time: 2.171 sec (0 m 2 s)
It seems like the regular expressions are to blame for some of these errors :S All of these files have been marked OK by the scan done by hMailServer, it seems like the {} are the problem (and you don't need them!). Check this out:

C:\ClamAV\bin\clamscan.exe -v --tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" --include="5B647886-918D-4EFB-8DCB-8B277E01380D"

This gives you:
C:\Program Files\hMailServer\Data\werner.no\large>C:\ClamAV\bin\clamscan.exe -v
--tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" --include="5B647886-918D-4EF
B-8DCB-8B277E01380D"
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{0193164B-59B5-4D08-8
A39-794DFD4C0881}.eml: Excluded
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{177F6396-B325-4A24-A
1DD-C52146F01F57}.eml: Excluded
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{2F94DD3A-2355-4674-A
24D-C112D657C5AE}.eml: Excluded
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{413846C1-2C14-45B2-B
E75-1C379F51BD91}.eml: Excluded
Scanning /cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-91
8D-4EFB-8DCB-8B277E01380D}.eml
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{5B647886-918D-4EFB-8
DCB-8B277E01380D}.eml
: OK
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{A4426E5E-65DA-4790-8
EAB-3B3F22B2083C}.eml: Excluded
/cygdrive/c/Program Files/hMailServer/Data/werner.no/large/{EB893FF6-2578-44C3-8
CED-2A237AEEA4F3}.eml: Excluded

----------- SCAN SUMMARY -----------
Known viruses: 36392
Engine version: devel-20050625
Scanned directories: 1
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 2.426 sec (0 m 2 s)
Seems like there is need for an option for adding the filename without the {} and .eml :) Hopefully that should fix this stupid problem!
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-08 17:43

follow directions in this post and start fresh should fix everything

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-07-09 00:28

large:
In hMailServer 4.0, I've change the way hMailServer calls ClamScan. Instead of using the --include parameter (which results in a regex match) it just specifies the filename as a parameter. This way, ClamScan won't do any regex'ing (and the "Could not parse regular expression" error won't occur)

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-09 01:24

When is version 4 final and will it be compatable with Helm's latest version?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-07-09 10:03

hMailServer 4 will be put up as stable on monday unless someone has found anything serious by then.

I've never tried Helm myself. In fact, I haven't even seen their home page before now.. You'll have to talk with the company that develops Helm and ask them whether they support hMailServer 4..

large
New user
New user
Posts: 27
Joined: 2004-12-31 12:47
Contact:

Post by large » 2005-07-09 12:57

martin wrote:large:
In hMailServer 4.0, I've change the way hMailServer calls ClamScan. Instead of using the --include parameter (which results in a regex match) it just specifies the filename as a parameter. This way, ClamScan won't do any regex'ing (and the "Could not parse regular expression" error won't occur)
Great! You're the man Martin! But how about adding a quick search&replace function too?

If you can generate a tag like %FILENAME%, %FILENAMEWOEXT% etc, so when a person that uses clamwin would get a commandline like:

C:\ClamAV\bin\clamscan.exe -v --tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" --include="%FILENAMEWOEXT%"

Main reason for this is could be much easier to match other virussystem like eg F-PROT, NOD32 or even Clam. That way you don't need to hardcode anything but let the user decide where to put the information.

Another thing is to maybe include the eicar virus as a resource in the project and make a testbutton to check if the virus parameters actually works :)

Another thing:
I dunno if it is problem but a field for the resultcode when a virus is found is maybe nessesary since some mombojombo viruscheckers might result 32 when a virus is found insted of 1 ;)
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

bruns
New user
New user
Posts: 6
Joined: 2005-07-10 02:00
Location: NJ, USA
Contact:

Post by bruns » 2005-07-10 02:12

The issue with { } I'm pretty familiar with, as well as known issue with files with spaces in their names too. It all carries over from the UNIX/Linux way of doing things into Cygwin. {} are pattern matching characters, much like how ? and * will probably cause the same issues in filenames too.

Don't blame it on the Cygwin people, its the fault of Microsoft for how they've handled their filesystem. There is alot of oddities in the way Windows functions are implemented that gives ClamAV headaches when you try to make it work right.

In the meantime, grab:

http://downloads.sosdg.org/clamav/clamav-0.86.1-3.exe

And see if it works for you. I've included a bunch of bug fixes, as well as a snapshot of Cygwin 1.5.19.
Brielle Bruns
The Summit Open Source Development Group

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-10 02:53

The sosdg works 100% for me on my WIndows 2000 Server box. I get way less SPAM/BAD DNS and Virus emails by far now using SOSDG Clam and hMailServer. THANKS!

large
New user
New user
Posts: 27
Joined: 2004-12-31 12:47
Contact:

Post by large » 2005-07-10 13:16

bruns wrote:The issue with { } I'm pretty familiar with, as well as known issue with files with spaces in their names too. It all carries over from the UNIX/Linux way of doing things into Cygwin. {} are pattern matching characters, much like how ? and * will probably cause the same issues in filenames too.

Don't blame it on the Cygwin people, its the fault of Microsoft for how they've handled their filesystem. There is alot of oddities in the way Windows functions are implemented that gives ClamAV headaches when you try to make it work right.

In the meantime, grab:

http://downloads.sosdg.org/clamav/clamav-0.86.1-3.exe

And see if it works for you. I've included a bunch of bug fixes, as well as a snapshot of Cygwin 1.5.19.
Thnx for the tip bruns. I'll check it out to see if that fixes the problem. I know that the {} chars are pretty chars rare to use, but if Martin implement a tagsystem like %FILENAME%, %FILENAMEWO%, %FILENAMEWOQUOTES% ect then the problem will be solved (for any commandlines in the future).

Edit: Just tested the 0.86.1-3 version, and there is no difference. I've also tested the issue that martin said he'd added by removing the include. The result is not good! Check it out:
C:\Documents and Settings\Large>C:\ClamAV\bin\clamscan.exe -v --tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" {5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB}.eml
WARNING: Can't access file 5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB.eml
5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB.eml: No such file or directory

----------- SCAN SUMMARY -----------
Known viruses: 36423
Engine version: devel-20050709
Scanned directories: 0
Scanned files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 2.166 sec (0 m 2 s)
As bruns said the {} signs seems to be a wildchar thats is convertet into nothing. I've also tried to add \{ and \}. And that worked:
C:\Program Files\hMailServer\Data\werner.no\large>C:\ClamAV\bin\clamscan.exe -v
--tempdir="C:\ClamAV\tmp" --database="C:\ClamAV\db" \{5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB\}.eml
Scanning {5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB}.eml
{5ABFD91B-F3D7-44B0-B2D8-6762FD3485AB}.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 36423
Engine version: devel-20050709
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Time: 2.126 sec (0 m 2 s)
I don't see any solution but a tagsystem. Since this could snap each strange error that might come with the next compilations in the future. That way the user has more control, and it is more flexible.
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

large
New user
New user
Posts: 27
Joined: 2004-12-31 12:47
Contact:

Post by large » 2005-07-10 13:48

cgountanis wrote:The sosdg works 100% for me on my WIndows 2000 Server box. I get way less SPAM/BAD DNS and Virus emails by far now using SOSDG Clam and hMailServer. THANKS!
Have you tested this: http://www.aleph-tec.com/eicar/index.php

Check if you're getting some of them through (except the clean one ofcourse)
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-10 14:49

I got 6 VIRUS DETECTED: and the clean one just fine :)

large
New user
New user
Posts: 27
Joined: 2004-12-31 12:47
Contact:

Post by large » 2005-07-10 15:07

cgountanis wrote:I got 6 VIRUS DETECTED: and the clean one just fine :)
Quite strange, could you test the commandline (with the --include params) and parse the resultcode to the forum? Just leave the 6 eicar mails in the mailbox and scan it directly on the server, would be nice for the output.
Lars Werner
http://lars.werner.no
Check out my tools:
http://lars.werner.no/unpacker/ - 100% automated extraction tool
http://lars.werner.no/sizeme/ - Maximize the output on a given media (like CD/DVD ect)

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-10 23:25

I think I know what your issue is. It is the way you read the commline results. It will always exclude a whole folder and only scan the file it is asked to scan. Quite confusing results, I know. You would think it could jsut scan the ONE file and not even come close to processing the other files as Excluded. I have seen this when scanning a single file on the C:\ drive as test. I am not sure how to help you test. Maybe send me sample batch files and a sample example. I will do my best. I do know all my files are caught 100% right now. Please don't break it :)


Tried again. 6 bad 1 good.

-------------------------------------------------------------------------------------------------
VIRUS DETECTED:
The attachment(s) of this message was removed since a virus
was detected in at least one of them.
-------------------------------------------------------------------------------------------------

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-15 11:26


Locked