tons of infected files getting though???

Chris Yuzik chris at FRACTALWEB.COM
Tue Jan 27 21:37:36 GMT 2004 

Jon Fraley wrote:

>I am seeing something similar.  We run MailScanner 4.25-14, McAfee
>v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
>of the Worm.SCO.A as mcafee identifies W32/Mydoom at MM.  These are my
>statistics for today:
>
>  W32/Dumaru.a at MM    2
>  W32/Klez.h at MM    2
>  W32/Mimail.a at MM    1
>  W32/Mimail.j at MM    1
>  W32/Mydoom at MM    765
>  Worm.Dumaru.A    2
>  Worm/Klez.H    2
>  Worm.Mimail.J    1
>  Worm.SCO.A    748
>
>I have verified in my log that this is happening.
>
>Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
>size=32981, class=0, nrcpts=1,
>msgid=<200401272047.i0RKlus5017510 at crusher.glenraven.com>, proto=SMTP,
>daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
>Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
>to=<linda at glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
>stat=queued
>Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
>Starting
>Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
>waiting
>Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
>messages, 32040 bytes
>Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
>Jan 27 15:48:19 crusher MailScanner[2543]:
>/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
>the W32/Mydoom at MM virus !!!
>Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
>1 infections
>Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
>i0RKlus5017510 came from 198.85.139.28
>Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
>/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
>Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
>"msg-2543-87.txt" to
>/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
>
>
Hi Jon,

OK, now we're getting somewhere. I was concerned that it was only
happening to me. Now the trick is going to be to figure out exactly when
it happens and why.

Under what circumstances is Clam not detecting? As I see it, we have a
few possibilities:
1. MailScanner is sometimes not asking ClamAV to scan the attachment for
a virus
2. MailScanner IS getting ClamAV to scan, but Clam is not reporting the
infection, for whatever reason
3. Clam is scanning the file and reporting the infection, but
MailScanner is not handling the message correctly. (remember the
situation a couple of months back when Clam started complaining about an
invalid zip header or something, then reported a virus found on the next
line?)

When McAfee detects the virus but Clam doesn't, is it always a zip file
that we're dealing with?

Let's move quickly on this.

Cheers,
Chris

More information about the MailScanner mailing list