ClamAV output missing on DEC Unix 4.0F

Ugo Bellavance ugob at CAMO-ROUTE.COM
Thu Mar 11 20:33:18 GMT 2004 

>-----Message d'origine-----
>De : Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK]
>Envoyé : 11 mars, 2004 15:17
>À : MAILSCANNER at JISCMAIL.AC.UK
>Objet : Re: ClamAV output missing on DEC Unix 4.0F
>
>
>This sounds like a classic example of you not having the
>Incoming Work Dir (or whatever it is called) set to
>"/var/spool/MailScanner/incoming" instead of the true path which is
>"/usr/var/spool/MailScanner/incoming".
>
>This needs to be in the MAQ.

Ok, I'll add it.  However, I don't know exactly how to write it.
If someone can do it, I'd like to have a short text explaining the problem and the solution
and an FAQ with the complete solution and I'll put a link to it.

Thanks,
Ugo

BTW, Julian, did you have the time to take a look at the MAQ page I've written?


>
>At 18:54 11/03/2004, you wrote:
>>Julian, in your copious spare time could you have a look at 
>the following
>>please.
>>
>>I'm running MailScanner V4.28.4 with ClamAV 0.67-1 and Sophos 
>3.79 on a Dec
>>Unix V4.0F box, via a tar install. I am having a problem 
>whereby the ClamAV
>>scanner is run and will detect a virus, but that detection 
>doesn't seem to
>>make it back to MailScanner. Here is the virus notification 
>message I just
>>got regarding an eicar test I sent.
>>
>>The following e-mail messages were found to have viruses in them:
>>
>>     Sender: ard at www.pergamentum.com
>>IP Address: 216.166.166.66
>>  Recipient: ard at mithra.physics.montana.edu
>>    Subject: test with eicar
>>  MessageID: i2BILHpq027443
>>     Report: Sophos: >>> Virus 'EICAR-AV-Test' found in file
>> ./i2BILHpq027443/eicar.co
>>             MailScanner: Executable DOS/Windows programs are 
>dangerous in
>> email (eicar.com)
>>
>>As you would expect if I was only using Sophos. However if I 
>look into the
>>maillog.
>>
>>Mar 11 11:21:17 mithra sendmail[27443]: i2BILHpq027443:
>>from=<ard at www.pergamentum.com>, size=1167, class=0, nrcpts=1,
>>msgid=<200403111821.i2BILHo28688 at www.pergamentum.com>, proto=ESMTP,
>>daemon=MTA, relay=www.pergamentum.com [216.166.166.66]
>>Mar 11 11:21:19 mithra MailScanner[17268]: New Batch: 
>Scanning 1 messages,
>>1696 bytes
>>Mar 11 11:21:19 mithra MailScanner[17268]: Spam Checks: Starting
>>Mar 11 11:21:22 mithra MailScanner[17268]: Virus and Content Scanning:
>>Starting
>>Mar 11 11:21:25 mithra MailScanner[17268]:
>>/usr/var/spool/MailScanner/incoming/17268/./i2BILHpq027443/eicar.com:
>>Eicar-Test-Signature FOUND
>>Mar 11 11:21:27 mithra MailScanner[17268]: Virus Scanning: 
>ClamAV found 1
>>infections
>>Mar 11 11:21:31 mithra MailScanner[17268]: >>> Virus 
>'EICAR-AV-Test' found
>>in file ./i2BILHpq027443/eicar.com
>>Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: 
>Sophos found 1
>>infections
>>Mar 11 11:21:31 mithra MailScanner[17268]: Infected message 
>i2BILHpq027443
>>came from 216.166.166.66
>>Mar 11 11:21:31 mithra MailScanner[17268]: Virus Scanning: 
>Found 1 viruses
>>Mar 11 11:21:31 mithra MailScanner[17268]: Filename Checks: 
>Windows/DOS
>>Executable (i2BILHpq027443 eicar.com)
>>Mar 11 11:21:31 mithra MailScanner[17268]: Other Checks: 
>Found 1 problems
>>Mar 11 11:21:32 mithra MailScanner[17268]: Saved entire message to
>>/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
>>Mar 11 11:21:32 mithra MailScanner[17268]: Saved infected 
>"eicar.com" to
>>/var/spool/MailScanner/quarantine/20040311/i2BILHpq027443
>>Mar 11 11:21:32 mithra MailScanner[17268]: Notices: Warned 
>about 1 messages
>>
>>As you can see MailScanner reports that ClamAV finds 1 
>infection but then
>>seems to forget about it. This as left me on a couple of 
>occasions to rely
>>on filename blocking when Sophos doesn't have a signature 
>out, even though
>>ClamAV successfully detects a virus.
>>
>># grep "Virus Scanners" MailScanner.conf
>>Virus Scanners = clamav sophos
>># grep clamav virus.scanners.conf
>>clamav          /opt/MailScanner/lib/clamav-wrapper     /usr/local
>>...
>># ls -l /usr/local/bin/clamscan
>>-rwxr-xr-x   1 root     system    221184 Mar 11 11:19 
>/usr/local/bin/clamscan
>>
>>Cheers
>>Alisdair
>>
>>--
>>Dr Alisdair Davey                                 ard at pergamentum.com
>>Pergamentum Solutions                             Tel: 1-406-581-6869
>>2066 Dailey Lane
>>Superior, CO 80027
>
>--
>Julian Field
>www.MailScanner.info
>Professional Support Services at www.MailScanner.biz
>MailScanner thanks transtec Computers for their support
>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>

More information about the MailScanner mailing list