smith153 / file-scan-clamav Goto Github PK

We have been using File::Scan::ClamAV for years in a spamassassin module to stream emails through clamav-daemon.

However no viruses have been detected since we upgraded ClamAV from 0.103.7 to 1.0.0.

We believe there is a problem using ClamAV 1.0.0 because:

• We can stream the following file through clamdscan 1.0.0 with a successful detection

----- start cat | scan ------------------------------------------------
adorman@andywork1$ cat /home/adorman/programming/pristine_email2.txt | clamdscan -
stream: Eicar-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.002 sec (0 m 0 s)
Start Date: 2023:01:14 07:30:31
End Date: 2023:01:14 07:30:31
adorman@andywork1$
----- end cat | scan --------------------------------------------------

• However, when we stream the same file as the var $msgString in the following
  code in the spamassassin module that was working successfully a week ago,
  the EICAR test is not detected.

  The var $msgString is shown in the debug log to confirm it is identical to the
  file streamed to clamdscan.

  Please forgive the excessive debug lines and verbose code below. I have been
  adding and expanding things for a week to try and figure out what is going on.

---------- start SA module code snippet ------------

    dbg ("ClamAV: About to check if clamd is alive");

    if (my $firstpingReturn = $self->{clamd}->ping) {
        dbg ("ClamAV: clamd is alive and returned $firstpingReturn");
        if (my $errstr = $self->{clamd}->errstr) {
            dbg ("ClamAV: ping of clamd returned error: $errstr");
        }
    }

    my $msgString = $message->get_pristine;
    dbg ("Pristine msg string is ==$msgString==");
    # Scan for viruses
    my ($ok, $virus) = $self->{clamd}->streamscan ($msgString);

    if ($ok and $ok eq "FOUND") {
        if ($virus =~ m/(?:Heuristics|Phishing|UNOFFICIAL)/) {
            dbg ("ClamAV: Detected phish: $virus");
            $pms->test_log ($virus);
            $result = 1;
        } else {
            dbg ("ClamAV: Detected virus: $virus");
            $pms->test_log ($virus);
        }
    } elsif (my $errstr = $self->{clamd}->errstr) {
        Mail::SpamAssassin::Plugin::info("ClamAV: Error scanning: $errstr");
        dbg("ClamAV: Got error = $errstr");
    } elsif ($ok) {
        dbg("ClamAV: Got ok = $ok");
    } else {
        dbg("ClamAV: Clean");
    }

    if (my $secondpingReturn = $self->{clamd}->ping) {
        dbg ("ClamAV: clamd is still alive and returned $secondpingReturn");
        if (my $errstr = $self->{clamd}->errstr) {
            dbg ("ClamAV: ping of clamd returned error: $errstr");
        }
    }

---------- end SA module code snippet ------------
---------- start debug log output ----------------------
ClamAV: About to check if clamd is alive
ClamAV: clamd is alive and returned 1
Pristine msg string is ==Received: from unknown (unknown [113.161.66.75])
by yorick.ironicdesign.com (Postfix) with ESMTP id EF9CD4EC137
for ; Wed, 3 Oct 2007 15:08:02 -0500 (CDT)
Date: Wed, 3 Oct 2007 15:08:02 -0500 (CDT)
From: <>
To: George [email protected]
Subject: Welcome to AnteSpam!

X5O!P%@ap[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

==
ClamAV: Clean
ClamAV: clamd is still alive and returned 1

----------- end debug log output -----------------------

I am NOT a C programmer and have so far been unable to find where the stream
scan code is in their git repository to see if there have been any changes.

Hoping someone with a lot more expertise than me can shed some light on
what's happening and how to fix it.
Thank you.

pristine_email2.txt