ClamAV and MailScanner Bug

Rose, Bobby brose at MED.WAYNE.EDU
Tue May 3 22:47:10 IST 2005 

So no one else is seeing this problem?  I'm talking about onlying clamav
as the scanner....no others and not clamavmodule.   

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Rose, Bobby
Sent: Monday, May 02, 2005 5:31 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: ClamAV and MailScanner Bug

Last week, I reported a problem that I thought was limited to a
particular virus but my testing seems to elude to a bigger problem.  If
MailScanner is using clamav for it's scanner, viruses are being detected
but MailScanner isn't properly acting on it and is delivering it as a
uninfected message. 

It's not a config issue because I've tried it on two different Solaris 8
systems and if I switch to clamavmodule or sophos then MailScanner acts
appropiately.  I've even updated to 4.11.3 today which was in the plans
anyway.  I used to use sophos and clamav with MailScanner but the
license for Sophos is just too much and stopped using it about two
months ago.  And since the viruses were still being detecting, from a
stats side it looked like things were fine.  For now, I'm switched to
clamavmodule but this looks like a bug.  I've been a MailScanner user
since 2002 so exclude me from the newbie filters and comments and let's
check this out. 

ClamAV

May  2 16:58:56 apollo.med.wayne.edu MailScanner[9100]: Spam Checks:
Starting
May  2 16:58:56 apollo.med.wayne.edu MailScanner[9100]: Message
j42Kwc1L009131 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted May  2 16:59:09 apollo.med.wayne.edu MailScanner[9100]: Spam
Checks completed at 133 bytes per second May  2 16:59:09
apollo.med.wayne.edu MailScanner[9100]: Virus and Content Scanning:
Starting May  2 16:59:13 apollo.med.wayne.edu MailScanner[9100]:
/tmp/9100/./j42Kwc1L009131/eicar.doc: Eicar-Test-Signature FOUND May  2
16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning:
ClamAV found 1 infections
May  2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning:
Found 1 viruses
May  2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Scanning
completed at 347 bytes per second May  2 16:59:14 apollo.med.wayne.edu
MailScanner[9100]: Uninfected:
Delivered 1 messages
May  2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Virus Processing
completed at 1739 bytes per second May  2 16:59:14 apollo.med.wayne.edu
MailScanner[9100]: Disinfection completed at 1739 bytes per second May
2 16:59:14 apollo.med.wayne.edu MailScanner[9100]: Batch completed at 96
bytes per second (1739 / 18)


ClamAVModule

May  2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: New Batch:
Scanning 1 messages, 1742 bytes
May  2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: MCP Checks
completed at 1742 bytes per second May  2 17:08:57 apollo.med.wayne.edu
MailScanner[9312]: Spam Checks:
Starting
May  2 17:08:57 apollo.med.wayne.edu MailScanner[9312]: Message
j42L8iA5009328 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted May  2 17:09:16 apollo.med.wayne.edu MailScanner[9312]: Spam
Checks completed at 91 bytes per second May  2 17:09:18
apollo.med.wayne.edu MailScanner[9312]: Virus and Content Scanning:
Starting May  2 17:09:18 apollo.med.wayne.edu MailScanner[9312]:
ClamAVModule::INFECTED:: Eicar-Test-Signature::
./j42L8iA5009328/eicar.doc
May  2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning:
ClamAV Module found 1 infections
May  2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Infected message
j42L8iA5009328 came from 146.9.3.57
May  2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning:
Found 1 viruses
May  2 17:09:18 apollo.med.wayne.edu MailScanner[9312]: Virus Scanning
completed at 871 bytes per second May  2 17:09:26 apollo.med.wayne.edu
MailScanner[9312]: Notices: Warned about 1 messages May  2 17:09:26
apollo.med.wayne.edu MailScanner[9312]: Virus Processing completed at
217 bytes per second May  2 17:09:26 apollo.med.wayne.edu
MailScanner[9312]: Disinfection completed at 1742 bytes per second May
2 17:09:26 apollo.med.wayne.edu MailScanner[9312]: Batch completed at 60
bytes per second (1742 / 29)

ClamAV and Sophos
May  2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: New Batch:
Scanning 1 messages, 1743 bytes
May  2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: MCP Checks
completed at 1743 bytes per second May  2 17:02:01 apollo.med.wayne.edu
MailScanner[9207]: Spam Checks:
Starting
May  2 17:02:01 apollo.med.wayne.edu MailScanner[9207]: Message
j42L1svo009212 from 146.9.3.57 (root at apollo.med.wayne.edu) is
whitelisted May  2 17:02:08 apollo.med.wayne.edu MailScanner[9207]: Spam
Checks completed at 249 bytes per second May  2 17:02:09
apollo.med.wayne.edu MailScanner[9207]: Virus and Content Scanning:
Starting May  2 17:02:17 apollo.med.wayne.edu MailScanner[9207]: >>>
Virus 'EICAR-AV-Test' found in file ./j42L1svo009212/eicar.doc May  2
17:02:17 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
Sophos found 1 infections
May  2 17:02:21 apollo.med.wayne.edu MailScanner[9207]:
/tmp/9207/./j42L1svo009212/eicar.doc: Eicar-Test-Signature FOUND May  2
17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
ClamAV found 1 infections
May  2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Infected message
j42L1svo009212 came from 146.9.3.57
May  2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning:
Found 1 viruses
May  2 17:02:21 apollo.med.wayne.edu MailScanner[9207]: Virus Scanning
completed at 134 bytes per second May  2 17:02:29 apollo.med.wayne.edu
MailScanner[9207]: Notices: Warned about 1 messages May  2 17:02:29
apollo.med.wayne.edu MailScanner[9207]: Virus Processing completed at
217 bytes per second May  2 17:02:29 apollo.med.wayne.edu
MailScanner[9207]: Disinfection completed at 1743 bytes per second May
2 17:02:29 apollo.med.wayne.edu MailScanner[9207]: Batch completed at 62
bytes per second (1743 / 28)


Bobby Rose
Senior Systems Administrator
MSIS Network Operations
Wayne State University School of Medicine
 

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list