Manually Scanning for Viruses

[cyberdeath]

Hello everyone,

Recently, we have been hit with a large amount of viruses that have not been detected by clam. However, they are now reported. So, would it be possible to rescan the entire message database overnight with clam? That is: /opt/store.

I want to get rid of any residual viruses that got past our filter because people are still opening week-old emails and getting infected.

Here's what I found when I ran the following:

Code:

./clamscan -r -i -d /opt/zimbra/data/clamav/db /opt/zimbra/store/*

Here's a snippet of what was found:

Code:

/opt/zimbra/store/0/17/msg/3/13127-17639.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/12961-17451.msg: Email.Phishing.RB-3469 FOUND
/opt/zimbra/store/0/17/msg/3/13687-18288.msg: Trojan.Downloader.Agent-1297 FOUND
/opt/zimbra/store/0/17/msg/3/12776-17248.msg: Email.Phishing.Bank-72 FOUND
/opt/zimbra/store/0/17/msg/3/13757-18365.msg: Trojan.Downloader.Agent-1298 FOUND
/opt/zimbra/store/0/17/msg/3/13235-17757.msg: Trojan.Agent-57252 FOUND

Would it cause corruption if I had clamscan just remove the infected messages? Anyone have experience with this?

One other question: Does anyone know how to find out what virus definitions that clam is using to scan the incoming emails with?
When I type zmclamdctl status, it gives no output.

One additional thing to note: I upgraded to 0.94.1 and pointed the symlink "clamav" to the directory that I placed in /opt/zimbra.

[cyberdeath]

I went and checked to see today how the anti-virus software was doing and it's rarely detecting a virus. I know without a doubt the number of viruses has increased yet it's detecting less. I know that I upgraded to the new Clam version thinking that would solve the problem. But, it has not. Anyone have any suggestions or insight on this? I would greatly appreciate it.

[uxbod]

You could look at integrating a commercial AV scanner aswell into AmavisD. I would also recommend that you look at these third party signatures for Clam :- SaneSecurity

[cyberdeath]

Well, I have considered that as well. But, I'm a bit curious as to why ClamAV isn't doing it's job. I've never had this problem before until recently. What prompted me was when I noticed that the database wasn't updating for whatever reason. That's when I upgraded the version of ClamAV. Would there be any reason why it would just stop updating? Also, upgrading ClamAV using the wiki should not cause any problems when upgrading zimbra later or with it properly scanning for viruses.

And, finally, here's my big question. Can I scan and remove the messages (.msg files) that contain malware? In other words, would that cause db/mbox corruption? Is there a way I should tackle this?

Thanks for the advice thus far .