New install question - MailScanner-4.15-13 + McAfee virus scan - eicar test fails...sort of?`

Richard Bollinger rabollinger at ATTBI.COM
Thu May 15 17:47:00 IST 2003


We've been using version MailScanner version 3 quite a while very successfully.  I'm building a new
mail server, so I'm loading up the latest stuff... but it doesn't quite seem to work:

When I send an email through the server with the eicar.com test, I get these messages:

May 15 12:06:35 mail MailScanner[27539]: MailScanner E-Mail Virus Scanner version 4.15-13
starting...
May 15 12:06:35 mail MailScanner[27539]: Using locktype = flock
May 15 12:07:05 mail MailScanner[27539]: New Batch: Scanning 1 messages, 1401 bytes
May 15 12:07:05 mail MailScanner[27539]: Virus and Content Scanning: Starting
May 15 12:07:05 mail MailScanner[27539]: McAfee said
"/usr/local/MailScanner/var-4.15-13/incoming/27539/h4FG73Q27541/eicar.com"
May 15 12:07:05 mail MailScanner[27539]: McAfee said "        Found: EICAR test file NOT a virus."
May 15 12:07:05 mail MailScanner[27539]:
/usr/local/MailScanner/var-4.15-13/incoming/27539/h4FG73Q27541/eicar.com        Found: EICAR test
file NOT a virus.
May 15 12:07:05 mail MailScanner[27539]: Virus Scanning: McAfee found 1 infections
May 15 12:07:05 mail MailScanner[27539]: Virus Scanning: Found 1 viruses
May 15 12:07:05 mail MailScanner[27539]: Uninfected: Delivered 1 messages

And the "Uninfected" message is forwarded on to the recipient with the bad attachment intact and
mail headers proclaiming that it was not infected!

For this test, I temporarily took out the filename rule which would otherwise have excluded the .COM
file extension.  With it in place, MS does remove the offending file and report same to all.

Here's all of the changes in my config file from the distribution:
--- MailScanner.conf.FCS Sat Apr 26 14:27:54 2003
+++ MailScanner.conf Wed May 14 17:06:30 2003
@@ -69,18 +69,18 @@
 #    which can in turn contain wildcards.
 #    Example: /opt/MailScanner/etc/mqueue.in.list.conf
 #
-Incoming Queue Dir = /var/spool/mqueue.in
+Incoming Queue Dir = /usr/local/mqueue.in

 # Set location of outgoing mail queue.
 # This can also be the filename of a ruleset.
-Outgoing Queue Dir = /var/spool/mqueue
+Outgoing Queue Dir = /usr/local/mqueue

 # Set where to unpack incoming messages before scanning them
-Incoming Work Dir = /var/spool/MailScanner/incoming
+Incoming Work Dir = /usr/local/MailScanner/var/incoming

 # Set where to store infected and message attachments (if they are kept)
 # This can also be the filename of a ruleset.
-Quarantine Dir = /var/spool/MailScanner/quarantine
+Quarantine Dir = /usr/local/MailScanner/var/quarantine

 # Set where to store the process id number so you can stop MailScanner
 PID file = /opt/MailScanner/var/MailScanner.pid
@@ -201,7 +201,7 @@
 # space-separated list of virus scanners. For example:
 # Virus Scanners = sophos f-prot mcafee
 #
-Virus Scanners = none
+Virus Scanners = mcafee

 # The maximum length of time the commercial virus scanner is allowed to run
 # for 1 batch of messages (in seconds).
@@ -225,7 +225,7 @@
 # 3) The recipient will not receive the message,
 #    unless the "Still Deliver Silent Viruses" option is set
 # This can also be the filename of a ruleset.
-Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar
+Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Fizzer Livra

 # Still deliver (after cleaning) messages that contained viruses listed
 # in the above option ("Silent Viruses") to the recipient?
@@ -366,7 +366,7 @@
 # Do you want to quarantine the original *entire* message as well as
 # just the infected attachments?
 # This can also be the filename of a ruleset.
-Quarantine Whole Message = no
+Quarantine Whole Message = yes

 # When you quarantine an entire message, do you want to store it as
 # raw mail queue files (so you can easily send them onto users) or
@@ -609,7 +609,7 @@
 # When a virus or attachment is replaced by a plain-text warning,
 # should the warning be in an attachment? If "no" then it will be
 # placed in-line. This can also be the filename of a ruleset.
-Warning Is Attachment = yes
+Warning Is Attachment = no

 # When a virus or attachment is replaced by a plain-text warning,
 # and that warning is an attachment, this is the filename of the
@@ -655,7 +655,7 @@
 # Include the full headers of each message in the notices sent to the local
 # system administrators?
 # This can also be the filename of a ruleset.
-Notices Include Full Headers = no
+Notices Include Full Headers = yes

 # Hide the directory path from all the system administrator notices.
 # The extra directory paths give away information about your setup, and
@@ -674,12 +674,12 @@

 # Where to send the notices.
 # This can also be the filename of a ruleset.
-Notices To = postmaster
+Notices To = virusmaster at elliott-turbo.com

 # Address of the local Postmaster, which is used as the "From" address in
 # virus warnings sent to users.
 # This can also be the filename of a ruleset.
-Local Postmaster = postmaster
+Local Postmaster = virusmaster at elliott-turbo.com

 #
 # Spam Detection and Virus Scanner Definitions



More information about the MailScanner mailing list