Scanning email as it arrives

Discussions relating to ClamXav

Moderator: Mark

Postby diem » Sat 16 Aug 2008 1:14 am

Many thanks for the work there Don - I'll try out your suggestions and update my howto appropriately. Cheers!
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

Scan email now works OK

Postby Jim babcock » Sun 17 Aug 2008 8:57 pm

See the next to last post on this Page...

Jim B
Last edited by Jim babcock on Thu 03 Sep 2009 6:35 pm, edited 2 times in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Scan Apple Mail w/ clamd

Postby Jim babcock » Tue 19 Aug 2008 11:41 pm

No longer valid
See next to last post on this page.
Jim B
Last edited by Jim babcock on Thu 03 Sep 2009 6:36 pm, edited 3 times in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Re: Scan Apple Mail w/ clamd

Postby diem » Wed 20 Aug 2008 12:55 am

Hi Jim,

It sounds to me as though there's a problem with either your virus database or that you have an older revision of clamav that doesn't like the database you've ended up with (that 'no stats for database check' is new to me but doesn't sound great).

I suggest you delete the contents of /usr/local/clamXav/share/clamav and re-run freshclam to get a 'clean' database and see if Mail scanning improves.
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

Postby IronTooth » Wed 20 Aug 2008 10:33 pm

hi, Jim -

I continue to have the occasional 'home folder full' message, as well. Do you rebuild the inboxes using the 'Rebuild' command from the 'Mailbox' menu? I can also clear the error by switching the virus rule off, retrieving mail manually, then switching it back on.

As far as quarantining the virus-laden messages, I created a '_Quarantine' folder (the underscore moves it alphabetically by default near the top of the mailbox list). My applescript contains the following:


Code: Select all
            on error errMsg number exitCode
               if (exitCode = 1) then
                  set background color of thisMessage to red
                  move thisMessage to mailbox "_Quarantine"
                  -- set currentSubject to subject of thisMessage
                  -- set subject of thisMessage to "[**VIRUS** - ClamAV] " & currentSubject



As you can see, I commented out the code to change the subject. I also change the background color of the message in the displayed list to RED, to further highlight it. This helps when I am manually running rules to verify that the script is working, since most of the 'bad' messages are of the 'CNN.com Daily Top 10' variety . I change the color of the messages in the '_Quarantine' folder to white manually, then move one over to the Inbox and run rules on several messages to verify that the rule and script are working the way I like. The red color helps visually. I've had to do this because I haven't gotten any virus hits in the past several days.

Diem -

I still am unable to download the clamd.conf file from your tutorial site. I get an 'Internal Server Error' message...

With the one annoyance of the occasional 'Home folder full' message, this seems to be working for me. Time will tell.

- Don
IronTooth
 
Posts: 22
Joined: Sun 26 Feb 2006 1:03 pm

Postby Jim babcock » Sat 23 Aug 2008 7:24 pm

Not valid..
See next to last post on this page

JIm B
Last edited by Jim babcock on Thu 03 Sep 2009 6:37 pm, edited 1 time in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

Postby smkolins » Sun 31 Aug 2008 4:51 am

here's a warning - don't have sentry watching the whole user cache folder - somehow the tmp folder is in there in Leopard at least and as the incoming mail script executes and moves a copy of the contents of the email for scanning it shows up as something Sentry scans and if sentry detects an infection it causes an interrupt in the logic of the scan and Mail interprets that lack of followthrough as a corruption of the mailbox forcing a rebuild/re-import.
smkolins
 
Posts: 768
Joined: Thu 07 Jul 2005 10:32 pm

Postby diem » Tue 09 Sep 2008 1:44 am

IronTooth wrote:Diem -

I still am unable to download the clamd.conf file from your tutorial site. I get an 'Internal Server Error' message...

Better late than never - I've solved this problem. The extensions ".conf" and ".config" seem to be reserved MIME-types so far as my web host is concerned, so I've had to add a ".txt" extension for them to be served properly.

Next I must look into your Applescript modification. Thankyou very much for your constructive feedback!
ClamXav v1.0.8 / clamav 0.93.3 on OS X 10.4.11/PowerBook G4
diem
 
Posts: 568
Joined: Sun 18 Feb 2007 6:15 pm

Clamxav incoming mail scan for OS 10.5.4

Postby sheltie1 » Thu 11 Sep 2008 5:00 pm

I followed the directions here

http://silvester.org.uk/OSX/email_virus_scanning.html

as best I could to get Mail to scan incoming messages for viruses, but all I got was a frozen Mail program that refused to respond until I did a Force Quit and took the virus filter back off. I don't know if this is an issue of 10.4 versus 10.5 needing a different approach or what? Anyone with 10.5 have a suggestion?

Thanks,
-L.M.M.
sheltie1
 
Posts: 1
Joined: Thu 11 Sep 2008 6:12 am

clamd.conf file

Postby alvarnell » Thu 11 Sep 2008 8:03 pm

I was not able to use the clamd.conf file you posted. It could not be parsed due to the following issue (from the man.5):

ArchiveMaxFileSize (OBSOLETE)
WARNING: This option is no longer accepted. See MaxFileSize and MaxScanSize.

There could be other issues, but I didn't have time to explore so reverted to doing the modification manually.
_________________
Al Varnell
Moutain View, CA
OS 9.2, 10.3.9 & 10.4.11
ClamXav 1.1.1/94.0
alvarnell
Site Admin
 
Posts: 5509
Joined: Thu 04 Sep 2008 1:18 am
Location: Mountain View, CA, USA

Re: Clamxav incoming mail scan for OS 10.5.4

Postby smkolins » Thu 11 Sep 2008 11:35 pm

sheltie1 wrote:I followed the directions here

http://silvester.org.uk/OSX/email_virus_scanning.html

as best I could to get Mail to scan incoming messages for viruses, but all I got was a frozen Mail program that refused to respond until I did a Force Quit and took the virus filter back off. I don't know if this is an issue of 10.4 versus 10.5 needing a different approach or what? Anyone with 10.5 have a suggestion?

Thanks,
-L.M.M.


I can say it works but the basics (ClamXav itself and Sentry) have to work flawlessly first. Clamd has to very reliable. Then it can be a matter of fine tuning the script. I wish I could say it was always a perfect addition but it can be something that works more often than it doesn't.
smkolins
 
Posts: 768
Joined: Thu 07 Jul 2005 10:32 pm

Sentry detects threats that are not detected by ClamXav

Postby lesliebee » Thu 04 Dec 2008 12:34 pm

Dear Mark
I am a new user just settling in and evaluating. Have set up ClamXav on OS X 10.5.5 Leopard, using standard Mac Mail on IMAP. To keep my server admin happy, I move old emails from my IMAP server to "OnMyMac" at the end of each month.

Using ClamXav 0.94 (the one about a week or so ago) I scanned my HD and all clear.
So then I began experimenting using Sentry - the watched folders are my ~/Library/Mail folders. All ok again.
Until I decided to tidy up my OnMyMac folders at the end of the month, which resulted in Sentry seeing activity and doing real-time scanning.

For one particular email, Sentry flags it as a spoofed sender. As I have several copies of this, it flags them all - the original, as well as copies I redirected or forwarded to others.
This would not be a problem, except that using ClamXav (not Sentry), there is absolutely no hint of a problem and no alert messages, even when I direct it to scan that specific threat.

So Sentry is finding a problem that ClamXav itself does not find. Quite reproducible and on 2 machines (I replicate my email on my laptop).

I still have a copy of that email and I happen to know it is a genuine email (although it could well have come from a relayed server originally - I don't know - but later emails from this same source are not flagged as spoofed sender- just this one). I can send it to you if this is of any help.

I hope this may be of help to you to explain this strange behaviour.

Best wishes
L

PS - as a related issue, when the email was alerted by Sentry as containing a threat, the message that pops up on the screen contains its name and location. However, if the location is deeply nested (as is the case for the above), the location is not visible as it is truncated in the available field length. I was only able to discover the location of the supposed threat by checking the Console message log. You may wish to consider wrapping the location in the alert screen, rather than truncating the location. Just a suggestion for those not familiar with using Console logs.
lesliebee
 
Posts: 5
Joined: Mon 01 Dec 2008 1:13 am

Postby WilliamL » Fri 06 Feb 2009 7:16 pm

I have Sentry set up just the way the initial poster said to do - right down to the "/Messages." When I initially launch Mail, and query the ISP server, and the little icon does its thing. Yesterday I received an email for a bank that I do business with telling me about a new service. When the email came in, I guess Sentry scanned it and found it ok. But, each day after I start up my computer I have ClamXav scan my home directory. Today ClamXav found a suspicious email - purportedly a phishing one with domain spoofing. It turned out to be the one from the bank.

So my question is why did Sentry say it was ok when it arrived and ClamXav say it was bad when it scanned the Mail folder?

Regards,
WillL

PS No I didn't click on any links in the message.
WilliamL
 
Posts: 94
Joined: Sun 14 May 2006 6:55 pm

Mail script w/ clamXav NOW IT WORKS in Leo & SL

Postby Jim babcock » Sun 05 Apr 2009 9:57 pm

[Note to Iron Tooth]: (EDITED on Apr 12)
### NOTE TO ALL: Edited on Sept 3 #########
### AND AGAIN : Edited on Oct 14 2009############
###### Again on June 5, 2010######
####### And once more on Aug 27 2010#######
####### Again on Nov 24 2010#############
######### Once more on Oct 17 2011##########
##########Edits to claify use of 'clamd' in the script below. Jan 12, 2013######

Don:

Last fall I tried to run a Mail script on Tiger... and stopped it for various reasons.
It worked OK on Leopard.

Now I have Snow Leopard and use Apple Mail exclusively for all my Email accts.
I picked up the Script re: silvester.org.uk and altered it for my various email addresses.
Code: Select all
-- To be called from a Mail (or other email client) rule per incoming message
-- Depends upon:
--   default installation of ClamXav
--   Using clamd may be unacceptable; See notes below
-- Credits to ClamXav forum members Nichol and DWatson for the original script and contributions

-- WILL NOT RUN AS IS!!!
-- You must replace XXXXXXXXXX below with the path to your clamd.conf file
-- XXXXXX in MY case is:  --config-file=/usr/local/clamXav/etc/clamd.conf

using terms from application "Mail"
   -- testing() -- uncomment to test-run from script editor
   on testing()
      set theList to the selection of application "Mail"
      do_viruscheck(theList)
   end testing
   on perform mail action with messages ruleMessages for rule theRule
      do_viruscheck(ruleMessages)
   end perform mail action with messages
   on do_viruscheck(theMessages)
      tell application "Mail"
         repeat with thisMessage in theMessages
            set msgSource to source of thisMessage
            -- display dialog "Message content = " & words 1 thru 20 of msgSource
            tell application "System Events"
               -- get a free name for a temporary file
               set tmpdir to (path to "temp" from user domain as text)
               set tmpnam to "tmp-clamAVscan"
               set tmpfil to tmpdir & tmpnam as text
               -- should usually be ok, but now add counter if file still exists
               set tmp to tmpfil
               set c to 0
               set ok to false
               repeat while (exists file tmpfil)
                  set c to c + 1
                  set tmpfil to (tmp & c) as text
               end repeat
               -- copy message to temporary file
               set f to (open for access file tmpfil with write permission)
               set eof of f to 0 -- overwrite file
               write msgSource to f as string
               close access f
            end tell
            
            try
               set commandline to "/usr/local/clamXav/bin/clamdscan --quiet --stdout --config-file=/usr/local/clamXav/etc/clamd.conf  " & POSIX path of file tmpfil
               -- display dialog "Clamd command line = " & commandline
               do shell script commandline
            on error errMsg number exitCode
               if (exitCode = 1) then
                  set background color of thisMessage to red
                  move thisMessage to mailbox "_Quarantine"
                  -- set junk mail status of thisMessage to true
                  -- set accountName to name of account of mailbox of thisMessage
                  -- set mailbox of thisMessage to mailbox "Junk" of account accountName
                  
               else
                  display dialog "Clamd error: Exit Code = " & exitCode & ", Message = " & errMsg
                  -- if user cancels script here, the temporary file will not be removed
               end if
            end try
            
            -- clean up temporary file
            tell application "System Events" to delete file tmpfil
         end repeat
      end tell
   end do_viruscheck
end using terms from

The BIG change is to simplify the ERROR loop:
Set the message name to RED then move it to a folder.
Code: Select all
set background color of thisMessage to red
move thisMessage to mailbox "_Quarantine"


"_Quarantine" is a mailbox IN Mail… you can first look at the message and trash it from there if you wish.

I put the script in /Library/Scripts/Mail Scripts/Script-for-Mail.scpt
[EDIT} CAUTION I *think* this should be put elsewhere in MT Lion. Beware!

Also, Be sure to do the following:

CHANGE the clamd.conf option to: scanmail No
In ClamXav prefs: UNCHECK the Scan email files option

Then the Apple Mail Rule(#1) is :

"If any" .... "Every Message"
Perform the following actions: "Run Applescript ... .../Library/Scripts/Mail Scripts/Script-for-Mail-store.scpt"

No other tests... The RED color helps to note it is IN Quarantine....
---------------------------------------------------------------------
BTW, a copy of the script I currently use WAS available at:
http://scriptbuilders.net/files/clamscanscriptapplemail1.html;
complete with a README file.
If and when they re-appear, I will upload a fresh copy.
In the meanwhile contact me by private Email and I'll send you a copy
plus the README file.

Cheers, Jim B
Last edited by Jim babcock on Sat 12 Jan 2013 7:14 pm, edited 18 times in total.
V3.0.5/0.100.1_02 275.377
OS 10.10.5/24" iMac/4GB/VMWare 7.0.3 w/Win7x64
Jim babcock
 
Posts: 333
Joined: Sun 04 Jun 2006 2:51 pm
Location: Encinitas, Ca

clamxav and entourage

Postby edson » Thu 16 Apr 2009 11:57 am

is it possible to use clamxav to scan incoming messages in entourage?
edson
 
Posts: 1
Joined: Thu 16 Apr 2009 11:54 am

PreviousNext

Return to ClamXav

Who is online

Users browsing this forum: No registered users