Return to Support

Signature Testing

 

In order to make sure you are getting the best out of the Sanesecurity signatures, you should follow the following three email tests and make sure that your email setup "passed" all three tests:

TEST 1 — Html.Sanesecurity.TestSig_Type3_Bdy

Send a HTML formatted email to yourself with this text in the BODYof the email:

body_rrg63uhj2ucyeccrux7d83a4qd5ua5vnlgwjp6b6fmpzpobzjabftehuhraxfbyzzzzz

 

TEST 2 — Email.Sanesecurity.TestSig_Type4_Hdr

Send an email to yourself with this text in the SUBJECT of the email:

rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZpObZJAbftehuhRAXFby

 

TEST 3 — Email.Sanesecurity.TestSig_Type4_Bdy

Send an email to yourself with this text in the BODY of the email:

body_rrg63Uhj2UCyECcruX7D83A4qd5UA5vnlgwJp6b6fmPZ0ajdjkwjnSSDfsdfsdfnwerd

Results

TEST 1: Html.Sanesecurity.TestSig_Type3_Bdy FOUND
TEST 2: Email.Sanesecurity.TestSig_Type4_Hdr FOUND
TEST 3: Email.Sanesecurity.TestSig_Type4_Bdy FOUND

NOTE: TEST 2 is an important one to pass, as a lot of the newer signatures use the message headers of an email. If you fail this test, it's usually due to you email system not passing the complete RAW/Whole message to be scanned by ClamAV.

If you cannot get the test to work, even after reading the next notes… ensure you have a copy of the sanesecurity.ftm file in the data/db area of ClamAV, otherwise please contact me and I can do some testing.

Notes for various mail filters

amavisd-new

Use key 'MAIL' in @keep_decoded_original_maps, e.g.:

@keep_decoded_original_maps = (new_RE(
qr'^MAIL$', # retain full original message for virus checking
qr'^MAIL-UNDECIPHERABLE$', # recheck full mail if it contains undecipherables
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
));

You may find that you already have a '^MAIL$' token in there, but commented out by default. Uncomment it, restart amavisd-maia, and the full, undecoded body of the email will be scanned in addition to the attachments.

For more information on the above, see this thread

Mail Scanner

You'll need to have this setting enabled:

ClamAV Full Message Scan = yes

and you may also need the following patch (which will be included in the next version of MailScanner:

— /root/v4/NEWSTABLE/mailscanner/bin/MailScanner/SweepViruses.pm 2009-01-11 19:27:02.000000000 +0000
+++ SweepViruses.pm 2009-01-25 16:24:33.000000000 +0000
@@ -2724,6 +2724,8 @@
$file =~ s/^(./)?$BaseDir/?//;
$file =~ s/^.///;
my ($id,$part) = split ///, $file, 2;
+ # JKF 20090125 Full message check.
+ $part = "" if $id =~ s/.(message|header)$//; # Only log the whole message if no attachment has been logged
MailScanner::Log::InfoLog("%s", $logline)

Qmail-Scanner

You need to make sure the "–redundant yes" option is enabled – which makes Qmail-Scanner pass the entire message to AVs for scanning.

mimedefang-filter

Only the body is scanned by default, unless you call md_copy_orig_msg_to_work_dir() just before the call to message_contains_virus().

Permanent link to this article: https://sanesecurity.com/support/signature-testing/