tons of infected files getting though???

Jon Fraley jfraley at glenraven.com
Tue Jan 27 21:45:06 GMT 2004 

On Tue, 2004-01-27 at 16:37, Chris Yuzik wrote:
> Jon Fraley wrote:
>
> >I am seeing something similar.  We run MailScanner 4.25-14, McAfee
> >v4.2.40 and clamAV 0.65.  It looks like clamAV does not identify all the
> >of the Worm.SCO.A as mcafee identifies W32/Mydoom at MM.  These are my
> >statistics for today:
> >
> >  W32/Dumaru.a at MM    2
> >  W32/Klez.h at MM    2
> >  W32/Mimail.a at MM    1
> >  W32/Mimail.j at MM    1
> >  W32/Mydoom at MM    765
> >  Worm.Dumaru.A    2
> >  Worm/Klez.H    2
> >  Worm.Mimail.J    1
> >  Worm.SCO.A    748
> >
> >I have verified in my log that this is happening.
> >
> >Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510: from=<>,
> >size=32981, class=0, nrcpts=1,
> >msgid=<200401272047.i0RKlus5017510 at crusher.glenraven.com>, proto=SMTP,
> >daemon=MTA, relay=eagle.glenraven.com [198.85.139.28]
> >Jan 27 15:47:57 crusher sendmail[17510]: i0RKlus5017510:
> >to=<linda at glenraven.com>, delay=00:00:01, mailer=relay, pri=30802,
> >stat=queued
> >Jan 27 15:48:16 crusher MailScanner[2543]: Virus and Content Scanning:
> >Starting
> >Jan 27 15:48:17 crusher MailScanner[2531]: New Batch: Found 2 messages
> >waiting
> >Jan 27 15:48:19 crusher MailScanner[2531]: New Batch: Scanning 1
> >messages, 32040 bytes
> >Jan 27 15:48:19 crusher MailScanner[2531]: Spam Checks: Starting
> >Jan 27 15:48:19 crusher MailScanner[2543]:
> >/i0RKlus5017510/msg-2543-87.txt/document.zip/DOCUMENT.SCR        Found
> >the W32/Mydoom at MM virus !!!
> >Jan 27 15:48:19 crusher MailScanner[2543]: Virus Scanning: McAfee found
> >1 infections
> >Jan 27 15:48:20 crusher MailScanner[2543]: Infected message
> >i0RKlus5017510 came from 198.85.139.28
> >Jan 27 15:48:20 crusher MailScanner[2543]: Saved entire message to
> >/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
> >Jan 27 15:48:20 crusher MailScanner[2543]: Saved infected
> >"msg-2543-87.txt" to
> >/var/spool/MailScanner/quarantine/20040127/i0RKlus5017510
> >
> >
> Hi Jon,
>
> OK, now we're getting somewhere. I was concerned that it was only
> happening to me. Now the trick is going to be to figure out exactly when
> it happens and why.
>
> Under what circumstances is Clam not detecting? As I see it, we have a
> few possibilities:
> 1. MailScanner is sometimes not asking ClamAV to scan the attachment for
> a virus
> 2. MailScanner IS getting ClamAV to scan, but Clam is not reporting the
> infection, for whatever reason
> 3. Clam is scanning the file and reporting the infection, but
> MailScanner is not handling the message correctly. (remember the
> situation a couple of months back when Clam started complaining about an
> invalid zip header or something, then reported a virus found on the next
> line?)
>
> When McAfee detects the virus but Clam doesn't, is it always a zip file
> that we're dealing with?
>
Not always a zip file:


> New Batch: Scanning 1 messages, 33321 bytes
> Jan 27 05:35:45 crusher MailScanner[2034]: Spam Checks: Starting
> Jan 27 05:35:49 crusher MailScanner[2034]: Virus and Content Scanning: Starting
> Jan 27 05:35:50 crusher MailScanner[2034]: /i0RAZgF0012813/msg-2034-182.txt/document.cmd        Found the W32/Mydoom at MM virus !!!
> Jan 27 05:35:50 crusher MailScanner[2034]: Virus Scanning: McAfee found 1 infections
> Jan 27 05:35:50 crusher MailScanner[2034]: Infected message i0RAZgF0012813 came from 198.85.139.28
> Jan 27 05:35:50 crusher MailScanner[2034]: Saved entire message to /var/spool/MailScanner/quarantine/20040127/i0RAZgF0012813
> Jan 27 05:35:51 crusher MailScanner[2034]: Saved infected "msg-2034-182.txt" to /var/spool/MailScanner/quarantine/20040127/i0RAZgF0012813

Jon
> Let's move quickly on this.
>
> Cheers,
> Chris

More information about the MailScanner mailing list