ClamAV and MailScanner Bug

Wess Bechard mailscanner at ELIQUID.COM
Wed May 4 13:57:32 IST 2005


    [ The following text is in the "utf-8" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

I also had quite a few viruses slip through this way in the past few
days.  I've applied Julian's patch to the VirusSweep.pm already, which
grabs the empty files, but they still slip through.

On Wed, 2005-05-04 at 07:15 -0400, Rose, Bobby wrote:

 Julian,

I'm using sendmail 8.13.3.  All I did to duplicate it was send a test
message with an EICAR attachment.  If I used clamav by itself, then the
virus is detected but MS still says it's clean and delivers it.  If I
switch to clamavmodule, then the virus is detected and MS removes the
message id from it's array of ones to be deliverer.  If I used a sophos
as a secondary scanner to clamav then virus is also detected and stopped
but I think that is because it's acting on the sophos detection and not
the clamav.  

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 04, 2005 4:19 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug

Also, is it specific to one MTA?
Looks like you are using Postfix. What is anyone else with this problem
running?

On 4 May 2005, at 09:04, Julian Field wrote:

> On 4 May 2005, at 00:16, Chris Stone wrote:
>
>
>> On Tuesday 03 May 2005 04:18 pm, Peter Bonivart wrote:
>>
>>
>>> Scott Silva wrote:
>>>
>>>
>>>> Rose, Bobby wrote:
>>>>
>>>>
>>>>> So no one else is seeing this problem?  I'm talking about onlying 
>>>>> clamav as the scanner....no others and not clamavmodule.
>>>>>
>>>>>
>>>>
>>>> Maybe only a Solaris 8 problem.
>>>>
>>>>
>>>
>>> No. I'm using Solaris with Clam and I'm not having any problems.
>>>
>>>
>>
>> I am seeing problems under OSX:
>>
>> May  3 18:56:29 g5
>> MailScanner[1898]: /private/var/spool/MailScanner/incoming/
>> 1898/./9F050BA0A85C/error-mail_info.zip:
>> Worm.Sober.P FOUND
>> May  3 18:56:29 g5 MailScanner[1898]: Virus Scanning: ClamAV found 1 
>> infections May  3 18:56:30 g5 MailScanner[1898]: Virus Scanning 
>> completed at
>> 37432 bytes
>> per second
>> May  3 18:56:30 g5 MailScanner[1898]: Requeue: 9F050BA0A85C to 
>> C3AB7BA0A920 May  3 18:56:30 g5 MailScanner[1898]: Uninfected: 
>> Delivered 1 messages May  3 18:56:30 g5 MailScanner[1898]: Virus 
>> Processing completed at
>> 74864
>> bytes per second
>> May  3 18:56:30 g5 MailScanner[1898]: Disinfection completed at
>> 74864 bytes
>> per second
>>
>> Seems to only still deliver the Sober viruses - all the others are 
>> caught as above, but not delivered. This client is running MS 4.34.8 
>> and ClamAV 0.83.
>> Am going to have them update to the latest MS stable release and see 
>> if they still have this issue.
>>
>>
>
> Can someone send me one of the troublesome messages please?
> Easiest way is to put it on the web and mail me the URL.
>
> --
> Julian Field
> jkf at ecs.soton.ac.uk
> Teaching Systems Manager
> Electronics & Computer Science
> University of Southampton
> SO17 1BJ, UK
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

--
Wess Bechard <mailscanner at eliquid.com> ------------------------
MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list