ClamAV and MailScanner Bug
Rose, Bobby
brose at MED.WAYNE.EDU
Mon May 2 22:31:29 IST 2005
Last week, I reported a problem that I thought was limited to a
particular virus but my testing seems to elude to a bigger problem. If
MailScanner is using clamav for it's scanner, viruses are being detected
but MailScanner isn't properly acting on it and is delivering it as a
uninfected message.
It's not a config issue because I've tried it on two different Solaris 8
systems and if I switch to clamavmodule or sophos then MailScanner acts
appropiately. I've even updated to 4.11.3 today which was in the plans
anyway. I used to use sophos and clamav with MailScanner but the
license for Sophos is just too much and stopped using it about two
months ago. And since the viruses were still being detecting, from a
stats side it looked like things were fine. For now, I'm switched to
clamavmodule but this looks like a bug. I've been a MailScanner user
since 2002 so exclude me from the newbie filters and comments and let's
check this out.
ClamAV
May 2 16:58:56 apollo.med.wayne.edu MailScanner[9100]: Spam Checks:
Starting
May 2 16:58:56 apollo.med.wayne.edu MailScanner[9100]: Message
j42Kwc1L009131 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted
May 2 16:59:09 apollo.med.wayne.edu MailScanner[9100]: Spam Checks
completed at 133 bytes per second
May 2 16:59:09 apollo.med.wayne.edu MailScanner[9100]: Virus and
Content Scanning: Starting
May 2 16:59:13 apollo.med.wayne.edu MailScanner[9100]:
/tmp/9100/./j42Kwc1L009131/eicar.doc: Eicar-Test-Signature FOUND
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning:
ClamAV found 1 infections
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning:
Found 1 viruses
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning
completed at 347 bytes per second
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Uninfected:
Delivered 1 messages
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Processing
completed at 1739 bytes per second
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Disinfection
completed at 1739 bytes per second
May 2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Batch completed
at 96 bytes per second (1739 / 18)
ClamAVModule
May 2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: New Batch:
Scanning 1 messages, 1742 bytes
May 2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: MCP Checks
completed at 1742 bytes per second
May 2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: Spam Checks:
Starting
May 2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: Message
j42L8iA5009328 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted
May 2 17:09:16 apollo.med.wayne.edu MailScanner[9312]: Spam Checks
completed at 91 bytes per second
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus and
Content Scanning: Starting
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]:
ClamAVModule::INFECTED:: Eicar-Test-Signature::
./j42L8iA5009328/eicar.doc
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning:
ClamAV Module found 1 infections
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Infected message
j42L8iA5009328 came from 146.9.3.57
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning:
Found 1 viruses
May 2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning
completed at 871 bytes per second
May 2 17:09:26 apollo.med.wayne.edu MailScanner[9312]: Notices: Warned
about 1 messages
May 2 17:09:26 apollo.med.wayne.edu MailScanner[9312]: Virus Processing
completed at 217 bytes per second
May 2 17:09:26 apollo.med.wayne.edu MailScanner[9312]: Disinfection
completed at 1742 bytes per second
May 2 17:09:26 apollo.med.wayne.edu MailScanner[9312]: Batch completed
at 60 bytes per second (1742 / 29)
ClamAV and Sophos
May 2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: New Batch:
Scanning 1 messages, 1743 bytes
May 2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: MCP Checks
completed at 1743 bytes per second
May 2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: Spam Checks:
Starting
May 2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: Message
j42L1svo009212 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted
May 2 17:02:08 apollo.med.wayne.edu MailScanner[9207]: Spam Checks
completed at 249 bytes per second
May 2 17:02:09 apollo.med.wayne.edu MailScanner[9207]: Virus and
Content Scanning: Starting
May 2 17:02:17 apollo.med.wayne.edu MailScanner[9207]: >>> Virus
'EICAR-AV-Test' found in file ./j42L1svo009212/eicar.doc
May 2 17:02:17 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
Sophos found 1 infections
May 2 17:02:21 apollo.med.wayne.edu MailScanner[9207]:
/tmp/9207/./j42L1svo009212/eicar.doc: Eicar-Test-Signature FOUND
May 2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
ClamAV found 1 infections
May 2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Infected message
j42L1svo009212 came from 146.9.3.57
May 2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
Found 1 viruses
May 2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning
completed at 134 bytes per second
May 2 17:02:29 apollo.med.wayne.edu MailScanner[9207]: Notices: Warned
about 1 messages
May 2 17:02:29 apollo.med.wayne.edu MailScanner[9207]: Virus Processing
completed at 217 bytes per second
May 2 17:02:29 apollo.med.wayne.edu MailScanner[9207]: Disinfection
completed at 1743 bytes per second
May 2 17:02:29 apollo.med.wayne.edu MailScanner[9207]: Batch completed
at 62 bytes per second (1743 / 28)
Bobby Rose
Senior Systems Administrator
MSIS Network Operations
Wayne State University School of Medicine
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list