Viruses apparently getting through

Gib Gilbertson Jr. gib at TMISNET.COM
Sat Dec 3 22:37:14 GMT 2005


At 05:43 PM 3/12/2005, you wrote:
>Hash: SHA1
>Where is your copy of ClamAV installed? The location must be correct in
>If "which clamscan" produces /usr/local/bin/clamscan, then the entry in
>virus.scanners.conf should be "/usr/local", if it produces
>/usr/bin/clamscan, then it should be "/usr".
>What does your maillog say? That should give some indication of what
>it's finding.

Location is correct. It is catching other viruses fine. Just for some 
reason a few e-mails which appear to be messages from other mail 
systems reporting mail to non existent users has been returned for 
what ever reason. The headers of the original e-mail are always 
forged with some address from such as hostmaster, or 
webmaster, etc.

Here is an entry for a typical virus found by ClamAV:

Dec  3 01:27:22 thumper MailScanner[62916]: 
Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: ClamAV 
found 1 infections
Dec  3 01:27:22 thumper MailScanner[62916]: Infected message 
jB39R0OK082075 came from
Dec  3 01:27:22 thumper MailScanner[62916]: Virus Scanning: Found 1 viruses

Just doesn't seem to be picking up this latest virus for some reason. 
ClamAV is up to date.



>Gib Gilbertson Jr. wrote:
> > Hi.
> >
> > I seeing a lot of e-mails getting through that are caught by ZoneAlarm
> > Security Suite and reported to be infected by the Win32.Sober.W!.ZIP
> > virus. These are coming in as attachments with the extension .zm9 as
> > reported by ZoneAlarm.
> >
> >
> > I am running the following on FreeBSD 4.10
> >
> > MailScanner 4.32.4
> > ClamAV 0.87.1/1200
> >
> > I've added a file types rule to deny \.zm9$ files
> >
> > I'm still getting them in e-mail though.
> >
> > Any thoughts?
> >
> > Thanks
> >
> > gib
> >

      Gib Gilbertson Jr.
      Tierramiga Info Systems
      619-287-8647 Support
      San Diego's Friendly ISP

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list