ClamAV can be bypassed

Discussion in 'General' started by hastlaug, Apr 8, 2006.

  1. hastlaug

    hastlaug New Member


    I'm not sure if this has been already mentioned here, but I found out that trashscan, the antivirus script, can easily skipped - the virus author just has to add a line "X-Virus-Scan: " to the header of the infected mail and this mail won't even be looked at by ClamAV.

    This issue was first mentioned bei James Lick in june 2004 - and I'm quite shocked that trashscan is still used in ISPConfig.

    Is there something I'm missing?

    If not, then I'd suggest the usage of clamassassin - I just installed it and integrated it into the procmail files, and it works. I just have to figure out if sender/recipient notifications are possible.

    So, my question: Is this a known problem? Or is this completely new to you? Is there another solution?

    btw: trashscan seems to fail on some tests from - while clamassassin only ignores non-virus tests...

    Best regards and thx in advance!
    Last edited: Apr 8, 2006
  2. falko

    falko Super Moderator Howtoforge Staff

    Thanks for the hint. We will check this.
  3. hastlaug

    hastlaug New Member

  4. hastlaug

    hastlaug New Member

    Already found out sth.? :)
  5. hastlaug

    hastlaug New Member

    ok, just saw the new release, forget my last post :)
    thx for the fast fix ;)
  6. falko

    falko Super Moderator Howtoforge Staff

    Yes, it's fixed now. We've replaced trashscan with clamassassin in ISPConfig 2.2.1. :)
  7. MathieuMa

    MathieuMa New Member


    It seems the upgrade process don't change the configs to use clamassassin.
    Curently running on debian perfect setup, upgraded from the previous release.

    NB : Just restarted postfix, seems the config file was changed.
    If that's the case, all my humble appologies :p

    Last edited: Apr 12, 2006
  8. falko

    falko Super Moderator Howtoforge Staff

    Users continue to use the old procmail recipes until you update them in ISPConfig so that their configuration files get rewritten. If you change some settings for existing users in ISPConfig or create new users, they will use clamassassin from now on.

Share This Page