virus scan / filename check

Marcelo Zacarias da Silva marcelo at CIAGRI.USP.BR
Mon May 3 14:41:40 IST 2004 

On Mon, May 03, 2004 at 02:05:01PM +0100, Julian Field wrote:
> At 13:50 03/05/2004, you wrote:
> >Hello.
> >
> >My MailScanner+ClamAV simple installation is working fine but I'm
> >experiencing a minor problem: MS is quarantining attachments with
> >viruses (like Document.pif) based on their filenames and sending
> >notifications to the users (by my setup)
> 
> Check that you are seeing the ClamAV reports as well as the filename check 
> reports. It should treat them as "silent" if ClamAV found them.

I sent myself a infected attachment (ZZZZZ.scr):

$ clamscan ZZZZZ.scr 
ZZZZZ.scr: Worm.SomeFool.P FOUND

'SomeFool' is in my Silent Viruses definition.

Then I received the cleaned email and MS reported just:

'Windows Screensavers are often used to hide viruses (ZZZZZ.scr)'

I think the relevant log entries are:

May  3 10:29:41 truta MailScanner[8235]: /opt/MailScanner-4.30.3/var/incoming/82 35/./i43DTexO002867/ZZZZZ.scr: Worm.SomeFool.P FOUND 
May  3 10:29:41 truta MailScanner[8235]: Virus Scanning: Found 1 viruses 
May  3 10:29:41 truta MailScanner[8235]: Filename Checks: Possible virus hidden in a screensaver (i43DTexO002867 ZZZZZ.scr) 
May  3 10:29:41 truta MailScanner[8235]: Other Checks: Found 1 problems 
May  3 10:29:41 truta MailScanner[8235]: Saved entire message to /dump/MailScanner/var/quarant/20040503/i43DTexO002867 
May  3 10:29:41 truta MailScanner[8235]: Saved infected "ZZZZZ.scr" to /dump/Mai
lScanner/var/quarant/20040503/i43DTexO002867 
May  3 10:29:41 truta MailScanner[8235]: Cleaned: Delivered 1 cleaned messages 
May  3 10:29:42 truta MailScanner[8235]: Notices: Warned about 1 messages 


Thanks again.

> 
> > but since they contain
> >viruses listed in my Silent Viruses definition, I´d like that MS
> >take action based first on the antivirus check before the
> >filename rules check.
> >
> >Is that possible or I'm doing something wrong?
> >
> >Thanks and please excuse my bad English.
> >
> >Marcelo.
> >

-- 

Marcelo Zacarias da Silva  -  CIAGRI/USP  /  Fone: (19)3429-4532
GPG public key: http://www.ciagri.usp.br/~marcelo/marcelo.asc

--
Mensagem verificada contra vírus (Ciagri::MailScanner)

-------------------------- MailScanner list ----------------------
To leave, send    leave mailscanner    to jiscmail at jiscmail.ac.uk
Before posting, please see the Most Asked Questions at
http://www.mailscanner.biz/maq/     and the archives at
http://www.jiscmail.ac.uk/lists/mailscanner.html

More information about the MailScanner mailing list