Not sure ClamAV is working

[carnold]

Installed the 5.0 beta1 OSS on SLES10 and all is working except ClamAV. The reason i say except is because all the "xyz has sent you a postcard" viruses are not getting tagged as a virus. The clamav log from /opt/zimbra/log/clamav.log does not show any errors and states the selfcheck DB was successful. In the /var/log/messages log shows that antivirus is running. As i said, all the "postcard" viruses have not been tagged as such. All arrive in users inbox. how do i correct this?

Chris

[carnold]

No one has replied so i assume this is something i am overlooking? I have edited /opt/zimbra/clamav/clamd.conf to my taste but when i run anything in /opt/zimbra/clamav/bin, i get this:
ERROR: Please edit the example config file /opt/zimbra/clamav-0.90.2/etc/clamd.conf.
Can't parse /opt/zimbra/clamav-0.90.2/etc/clamd.conf

ERROR: Please edit the example config file /opt/zimbra/clamav-0.90.2/etc/freshclam.conf.
Can't parse /opt/zimbra/clamav-0.90.2/etc/freshclam.conf

Why do i want to edit the sample file? and notice i was not even editing in the clamav-0.90.2 folder. and is the Clamav DB path /var/lib/clamav? Or is different with zimbra?

[EDIT] Found the correct file, i think, to edit. It is in /opt/zimbra/conf/ but how do i restart clamd?[/EDIT]

[SpEnTBoY]

No one has replied so i assume this is something i am overlooking? I have edited /opt/zimbra/clamav/clamd.conf to my taste but when i run anything in /opt/zimbra/clamav/bin, i get this:
ERROR: Please edit the example config file /opt/zimbra/clamav-0.90.2/etc/clamd.conf.
Can't parse /opt/zimbra/clamav-0.90.2/etc/clamd.conf

ERROR: Please edit the example config file /opt/zimbra/clamav-0.90.2/etc/freshclam.conf.
Can't parse /opt/zimbra/clamav-0.90.2/etc/freshclam.conf

Why do i want to edit the sample file? and notice i was not even editing in the clamav-0.90.2 folder. and is the Clamav DB path /var/lib/clamav? Or is different with zimbra?

[EDIT] Found the correct file, i think, to edit. It is in /opt/zimbra/conf/ but how do i restart clamd?[/EDIT]

to restart I think all you need to do (as zimbra) is:

$ zmclamdctl start

or restart.

[fatalwishes]

Installed the 5.0 beta1 OSS on SLES10 and all is working except ClamAV. The reason i say except is because all the "xyz has sent you a postcard" viruses are not getting tagged as a virus. The clamav log from /opt/zimbra/log/clamav.log does not show any errors and states the selfcheck DB was successful. In the /var/log/messages log shows that antivirus is running. As i said, all the "postcard" viruses have not been tagged as such. All arrive in users inbox. how do i correct this?

Chris

That is because the actual virus is not in the email. Clicking the link in the email allows you to download the virus wich is usually labeled "postcard.exe" and that happens in your browser, not your email client or inside of zimbra so clamav will not detect it. You will need a live scanner on your system that tracks dowloaded viruses off the internet to catch the postcard viruses.

Clamwin will detect it on a scan but if the user has already opened it...its too late.

If you are getting the actual virus in the emails, setup your banned attachments list to not allow ".exe" and they won't get through.

[carnold]

That is because the actual virus is not in the email. Clicking the link in the email allows you to download the virus wich is usually labeled "postcard.exe" and that happens in your browser, not your email client or inside of zimbra so clamav will not detect it. You will need a live scanner on your system that tracks dowloaded viruses off the internet to catch the postcard viruses.

Clamwin will detect it on a scan but if the user has already opened it...its too late.

If you are getting the actual virus in the emails, setup your banned attachments list to not allow ".exe" and they won't get through.

When we used another email app and clamav (clamav was not "built-in" to this email app) clamav detected these "postcard" emails as viruses. Why will Zimbra, which uses clamav, not detect these as viruses? I know i could block exe's but but past use of clamav stripped the virus and tagged it as a virus. How do i config zimbra/clamav to do this?