ClamAv Logging Virus Name

Miguel Koren OBrien de Lacy miguelk at KONSULTEX.COM.BR
Thu Aug 21 13:43:10 IST 2003


I have the same problem/symptom. My log always shows this type of output:

Aug  4 13:12:56 TBNET MailScanner[29665]: New Batch: Scanning 1 messages, 87565 bytes
Aug  4 13:12:56 TBNET MailScanner[29665]: Virus and Content Scanning: Starting
Aug  4 13:12:57 TBNET MailScanner[29665]:
/var/spool/MailScanner/incoming/29665/./h74GCUd31049/TELE REDES.doc.exe
Aug  4 13:12:57 TBNET MailScanner[29665]: Virus Scanning: ClamAV found 1 infections
Aug  4 13:12:57 TBNET MailScanner[29665]: Virus Scanning: Found 1 viruses
Aug  4 13:12:57 TBNET MailScanner[29665]: Filename Checks: Windows/DOS Executable
(TELE REDES.doc.exe)
Aug  4 13:12:57 TBNET MailScanner[29665]: Filetype Checks: No executables (TELE
REDES.doc.exe)
Aug  4 13:12:57 TBNET MailScanner[29665]: Other Checks: Found 2 problems
Aug  4 13:12:57 TBNET MailScanner[29665]: Saved infected "TELE REDES.doc.exe" to
/var/spool/MailScanner/quarantin
Aug  4 13:12:57 TBNET MailScanner[29665]: Silent: Delivered 1 messages containing
silent viruses

(some lines are truncated in this copy/paste I just did)

I also have the strange symtom that the CLAM pattern database appears to be up to date
but the freshclam.log does not report any updates and MailScanner logs that it does
not need to be updated. On another server it does log update activity and the virus
count (checked with clamd.log) on both is the same.

Miguel

---------- Original Message -----------
From: Antony Stone <Antony at SOFT-SOLUTIONS.CO.UK>
To: MAILSCANNER at JISCMAIL.AC.UK
Sent: Wed, 20 Aug 2003 22:18:49 +0100
Subject: Re: ClamAv Logging Virus Name

> On Wednesday 20 August 2003 8:58 pm, Stephe Campbell wrote:
>
> > I seem to recall something about inserting the name of the virus found into
> > the maillog entry when a virus was found. I use ClamAV. I have looked in
> > the archives and also keep all of the mail from the list, but can't seem to
> > find the right search parameters. Can anyone help me here or tell me how I
> > might track virus detection other than just the generic "virus found" stuff
>
> My MailScanner / ClamAV installation syslogs the name of the virus detected
> by ClamAV right after the line saying "Virus and Content Scanning: Starting",
> with a line something like
> "/var/spool/MailScanner/incoming/20692/./h7KLCYr23617/your_document.pif:
> Worm.Sobig.F FOUND"
> This is then followed by the line saying: "Virus Scanning: ClamAV found 1
> infections"
>
> I haven't turned on any extra debugging etc.
>
> What do your syslogs show when a virus is found?
>
> Antony.
>
> --
>
> Most people have more than the average number of legs.
------- End of Original Message -------



More information about the MailScanner mailing list