ClamAV is running as a milter for sendmail Version 8.14.2 Problem appeared after the update of ClamAV from 0.94.2 to 0.95. Normally ClamAV rejects viruses like: clamd.log: Apr 3 04:20:17 gw-1 clamav-milter[82788]: Message n330KFwi084209 from <> to <my-user> with subject 'Mail delivery failed: returning message to sender' message-id '<E1LpX8m-0006jH-82@fam6.famatech.com>' date 'Thu, 02 Apr 2009 19:20:12 -0500' infected by Worm.SomeFool.P maillog: Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: from=<>, size=43403, class=0, nrcpts=1, msgid=<E1LpX8m-0006jH-82@fam6.famatech.com>, proto=ESMTP, daemon=IPv4, relay=mx.mydomain.ru [194.186.213.3] Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter change (add): header: X-Virus-Status: Infected (Worm.SomeFool.P) Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: Milter: data, reject=550 5.7.1 We don't receive viruses like Worm.SomeFool.P Apr 3 04:20:17 gw-1 sm-mta[84209]: n330KFwi084209: to=<my-user@mydomain.ru>, delay=00:00:02, pri=73403, stat=We don't receive viruses like Worm.SomeFool.P But when it meets Worm.Mydoom.I the behaviour changes to: clamd.log, just: Apr 3 08:14:23 gw-1 clamd[39534]: fd[10]: Worm.Mydoom.I FOUND maillog: Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: from=<irina.mashkina@russianpost.ru>, size=31040, class=0, nrcpts=1, msgid=<200904030414.n334EMWU090084@gw-1.caotus.ru>, proto=ESMTP, daemon=IPv4, relay=gw-3.caotus.ru [194.186.213.3] Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Scanned: clamav-milter 0.95 at mail.mydomain.ru Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter change (add): header: X-Virus-Status: Infected (Worm.Mydoom.I) Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: milter_sys_read(clmilter): cmd read returned 0, expecting 5 Apr 3 08:14:23 gw-1 sm-mta[90084]: n334EMWU090084: Milter (clmilter): to error state Apr 3 08:14:23 gw-1 sm-mta[90085]: n334EMWU090084: <my-user@mydomain.ru>, delay=00:00:01, xdelay=00:00:00, mailer=local, pri=151427, relay=local, dsn=2.0.0, stat=Sent As the result ClamAV antivirus: 1. Passes the infected e-mail to local users 2. Stops anti-virus scanning of e-mails and begins cheching after restart, until it catches the next Worm.Mydoom.I Fix: As a temporary, rather bad fix I've have to fall back on ClamAV-0.94.2. How-To-Repeat: 1. Turn on mail server, which uses ClamAV Milter; 2. Send via this e-mail server some test letters, contains viruses (one of them, but not first and not the last must be Worm.Mydoom.I); 3. Read clamd.log and maillog
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 FreeBSD-gnats-submit@FreeBSD.org ÐÉÛÅÔ: > Thank you very much for your problem report. > It has the internal identification `ports/133333'. > The individual assigned to look at your > report is: freebsd-ports-bugs. > > You can access the state of your problem report at any time > via this link: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=133333 > >> Category: ports >> Responsible: freebsd-ports-bugs >> Synopsis: ClamAV Milter passes 'Worm.Mydoom.I' and this virus turns Milter socket to error state >> Arrival-Date: Fri Apr 03 06:50:01 UTC 2009 > Excuse me, I've forgot to mention, that I've posted this bug also to ClamAV Bugzilla: https://wwws.clamav.net/bugzilla/show_bug.cgi?id=1537 - -- óÔÁÒÉËÏ× óÅÒÇÅÊ áÎÁÔÏÌØÅ×ÉÞ ÷ÅÄÕÝÉÊ ÉÎÖÅÎÅÒ-ÐÒÏÇÒÁÍÍÉÓÔ ïÔÄÅÌÁ ÜËÓÐÌÕÁÔÁÃÉÉ ÉÎÆÏÒÍÁÃÉÏÎÎÙÈ, ÔÅÌÅËÏÍÍÕÎÉËÁÃÉÏÎÎÙÈ É ËÒÉÐÔÏÇÒÁÆÉÞÅÓËÉÈ ÓÉÓÔÅÍ äÅÐÁÒÔÁÍÅÎÔÁ ÐÒÏÃÅÓÓÉÎÇÁ ÅÄÉÎÏÊ ÓÉÓÔÅÍÙ ÐÏÞÔÏ×ÙÈ ÐÅÒÅ×ÏÄÏ× ïóð éòã æçõð "ðÏÞÔÁ òÏÓÓÉÉ" Starikov@caotus.ru +7(495)398-4436 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAknVs9kACgkQiB5ezNypRyeDnwCfV1ZXhn5lsqV6X6IqmpBWJlCu wSwAoI1MvRQj5GZLUFlucWyOxN/5parA =EQ86 -----END PGP SIGNATURE-----
State Changed From-To: open->closed Already fixed in clamav 0.95.1