ClamAV output missing on DEC Unix 4.0F

Alisdair Davey ard at PERGAMENTUM.COM
Thu Mar 11 18:54:47 GMT 2004 

Julian, in your copious spare time could you have a look at the following
please.

I'm running MailScanner V4.28.4 with ClamAV 0.67-1 and Sophos 3.79 on a Dec
Unix V4.0F box, via a tar install. I am having a problem whereby the ClamAV
scanner is run and will detect a virus, but that detection doesn't seem to
make it back to MailScanner. Here is the virus notification message I just
got regarding an eicar test I sent.

The following e-mail messages were found to have viruses in them:

    Sender: ard at www.pergamentum.com
IP Address: 216.166.166.66
 Recipient: ard at mithra.physics.montana.edu
   Subject: test with eicar
 MessageID: i2BILHpq027443
    Report: Sophos: >>> Virus 'EICAR-AV-Test' found in file ./i2BILHpq027443/eicar.co
            MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com)

As you would expect if I was only using Sophos. However if I look into the
maillog.

Mar 11 11:21:17 mithra sendmail[27443]: i2BILHpq027443:
from=<ard at www.pergamentum.com>, size=1167, class=0, nrcpts=1,
msgid=<200403111821.i2BILHo28688 at www.pergamentum.com>, proto=ESMTP,
daemon=MTA, relay=www.pergamentum.com [216.166.166.66]
Mar 11 11:21:19 mithra MailScanner[17268]: New Batch: Scanning 1 messages,
1696 bytes
Mar 11 11:21:19 mithra MailScanner[17268]: Spam Checks: Starting
Mar 11 11:21:22 mithra MailScanner[17268]: Virus and Content Scanning:
Starting
Mar 11 11:21:25 mithra MailScanner[17268]:
/usr/var/spool/MailScanner/incoming/17268/./i2BILHpq027443/eicar.com:
Eicar-Test-Signature FOUND
Mar 11 11:21:27 mithra MailScanner[17268]: Virus Scanning: ClamAV found 1
infections
Mar 11 11:21:31 mithra MailScanner[17268]: >>> Virus 'EICAR-AV-Test' found
in file ./i2BILHpq027443/eicar.com
Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: Sophos found 1
infections
Mar 11 11:21:31 mithra MailScanner[17268]: Infected message i2BILHpq027443
came from 216.166.166.66
Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: Found 1 viruses
Mar 11 11:21:31 mithra MailScanner[17268]: Filename Checks: Windows/DOS
Executable (i2BILHpq027443 eicar.com)
Mar 11 11:21:31 mithra MailScanner[17268]: Other Checks: Found 1 problems
Mar 11 11:21:32 mithra MailScanner[17268]: Saved entire message to
/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
Mar 11 11:21:32 mithra MailScanner[17268]: Saved infected "eicar.com" to
/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
Mar 11 11:21:32 mithra MailScanner[17268]: Notices: Warned about 1 messages

As you can see MailScanner reports that ClamAV finds 1 infection but then
seems to forget about it. This as left me on a couple of occasions to rely
on filename blocking when Sophos doesn't have a signature out, even though
ClamAV successfully detects a virus.

# grep "Virus Scanners" MailScanner.conf
Virus Scanners = clamav sophos
# grep clamav virus.scanners.conf
clamav          /opt/MailScanner/lib/clamav-wrapper     /usr/local
...
# ls -l /usr/local/bin/clamscan
-rwxr-xr-x   1 root     system    221184 Mar 11 11:19 /usr/local/bin/clamscan

Cheers
Alisdair

--
Dr Alisdair Davey                                 ard at pergamentum.com
Pergamentum Solutions                             Tel: 1-406-581-6869
2066 Dailey Lane
Superior, CO 80027

More information about the MailScanner mailing list