ClamAV output missing on DEC Unix 4.0F

Julian Field mailscanner at ecs.soton.ac.uk
Thu Mar 11 20:16:51 GMT 2004 

This sounds like a classic example of you not having the
Incoming Work Dir (or whatever it is called) set to
"/var/spool/MailScanner/incoming" instead of the true path which is
"/usr/var/spool/MailScanner/incoming".

This needs to be in the MAQ.

At 18:54 11/03/2004, you wrote:
>Julian, in your copious spare time could you have a look at the following
>please.
>
>I'm running MailScanner V4.28.4 with ClamAV 0.67-1 and Sophos 3.79 on a Dec
>Unix V4.0F box, via a tar install. I am having a problem whereby the ClamAV
>scanner is run and will detect a virus, but that detection doesn't seem to
>make it back to MailScanner. Here is the virus notification message I just
>got regarding an eicar test I sent.
>
>The following e-mail messages were found to have viruses in them:
>
>     Sender: ard at www.pergamentum.com
>IP Address: 216.166.166.66
>  Recipient: ard at mithra.physics.montana.edu
>    Subject: test with eicar
>  MessageID: i2BILHpq027443
>     Report: Sophos: >>> Virus 'EICAR-AV-Test' found in file
> ./i2BILHpq027443/eicar.co
>             MailScanner: Executable DOS/Windows programs are dangerous in
> email (eicar.com)
>
>As you would expect if I was only using Sophos. However if I look into the
>maillog.
>
>Mar 11 11:21:17 mithra sendmail[27443]: i2BILHpq027443:
>from=<ard at www.pergamentum.com>, size=1167, class=0, nrcpts=1,
>msgid=<200403111821.i2BILHo28688 at www.pergamentum.com>, proto=ESMTP,
>daemon=MTA, relay=www.pergamentum.com [216.166.166.66]
>Mar 11 11:21:19 mithra MailScanner[17268]: New Batch: Scanning 1 messages,
>1696 bytes
>Mar 11 11:21:19 mithra MailScanner[17268]: Spam Checks: Starting
>Mar 11 11:21:22 mithra MailScanner[17268]: Virus and Content Scanning:
>Starting
>Mar 11 11:21:25 mithra MailScanner[17268]:
>/usr/var/spool/MailScanner/incoming/17268/./i2BILHpq027443/eicar.com:
>Eicar-Test-Signature FOUND
>Mar 11 11:21:27 mithra MailScanner[17268]: Virus Scanning: ClamAV found 1
>infections
>Mar 11 11:21:31 mithra MailScanner[17268]: >>> Virus 'EICAR-AV-Test' found
>in file ./i2BILHpq027443/eicar.com
>Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: Sophos found 1
>infections
>Mar 11 11:21:31 mithra MailScanner[17268]: Infected message i2BILHpq027443
>came from 216.166.166.66
>Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: Found 1 viruses
>Mar 11 11:21:31 mithra MailScanner[17268]: Filename Checks: Windows/DOS
>Executable (i2BILHpq027443 eicar.com)
>Mar 11 11:21:31 mithra MailScanner[17268]: Other Checks: Found 1 problems
>Mar 11 11:21:32 mithra MailScanner[17268]: Saved entire message to
>/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
>Mar 11 11:21:32 mithra MailScanner[17268]: Saved infected "eicar.com" to
>/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
>Mar 11 11:21:32 mithra MailScanner[17268]: Notices: Warned about 1 messages
>
>As you can see MailScanner reports that ClamAV finds 1 infection but then
>seems to forget about it. This as left me on a couple of occasions to rely
>on filename blocking when Sophos doesn't have a signature out, even though
>ClamAV successfully detects a virus.
>
># grep "Virus Scanners" MailScanner.conf
>Virus Scanners = clamav sophos
># grep clamav virus.scanners.conf
>clamav          /opt/MailScanner/lib/clamav-wrapper     /usr/local
>...
># ls -l /usr/local/bin/clamscan
>-rwxr-xr-x   1 root     system    221184 Mar 11 11:19 /usr/local/bin/clamscan
>
>Cheers
>Alisdair
>
>--
>Dr Alisdair Davey                                 ard at pergamentum.com
>Pergamentum Solutions                             Tel: 1-406-581-6869
>2066 Dailey Lane
>Superior, CO 80027

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

More information about the MailScanner mailing list