ClamAV and MailScanner Bug
Julian Field
MailScanner at ecs.soton.ac.uk
Wed May 4 14:55:50 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Any reason why I might not be able to reproduce it?
I used sendmail, the latest MailScanner code and ClamAV 0.83 and 0.84 and
it happily detected both.
So we are saying that on your system ClamAV 0.84 is not being properly
handled and is missing *all* viruses, even eicar?
Please can you put an eicar.com in a directory, along with a few other
harmless files and run this:
mkdir /tmp/clamav.temptemp
chmod go-a /tmp/clamav.temptemp
/usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
Obviously the clamscan command should be all one 1 line, and don't forget
the " ." at the end of the line. And if your clamscan is not in
/usr/local/bin then adjust the command appropriately.
Please send me the exact output of that.
Also tell me what version of ClamAV you are running.
On 4 May 2005, at 13:57, Wess Bechard wrote:
I also had quite a few viruses slip through this way in the
past few days. I've applied Julian's patch to the
VirusSweep.pm already, which grabs the empty files, but they
still slip through.
On Wed, 2005-05-04 at 07:15 -0400, Rose, Bobby wrote:
Julian,
I'm using sendmail 8.13.3. All I did to duplicate it was send a test
message with an EICAR attachment. If I used clamav by itself, then the
virus is detected but MS still says it's clean and delivers it. If I
switch to clamavmodule, then the virus is detected and MS removes the
message id from it's array of ones to be deliverer. If I used a sophos
as a secondary scanner to clamav then virus is also detected and stopped
but I think that is because it's acting on the sophos detection and not
the clamav.
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 04, 2005 4:19 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug
Also, is it specific to one MTA?
Looks like you are using Postfix. What is anyone else with this problem
running?
On 4 May 2005, at 09:04, Julian Field wrote:
> On 4 May 2005, at 00:16, Chris Stone wrote:
>
>
>> On Tuesday 03 May 2005 04:18 pm, Peter Bonivart wrote:
>>
>>
>>> Scott Silva wrote:
>>>
>>>
>>>> Rose, Bobby wrote:
>>>>
>>>>
>>>>> So no one else is seeing this problem? I'm talking about onlying
>>>>> clamav as the scanner....no others and not clamavmodule.
>>>>>
>>>>>
>>>>
>>>> Maybe only a Solaris 8 problem.
>>>>
>>>>
>>>
>>> No. I'm using Solaris with Clam and I'm not having any problems.
>>>
>>>
>>
>> I am seeing problems under OSX:
>>
>> May 3 18:56:29 g5
>> MailScanner[1898]: /private/var/spool/MailScanner/incoming/
>> 1898/./9F050BA0A85C/error-mail_info.zip:
>> Worm.Sober.P FOUND
>> May 3 18:56:29 g5 MailScanner[1898]: Virus Scanning: ClamAV found 1
>> infections May 3 18:56:30 g5 MailScanner[1898]: Virus Scanning
>> completed at
>> 37432 bytes
>> per second
>> May 3 18:56:30 g5 MailScanner[1898]: Requeue: 9F050BA0A85C to
>> C3AB7BA0A920 May 3 18:56:30 g5 MailScanner[1898]: Uninfected:
>> Delivered 1 messages May 3 18:56:30 g5 MailScanner[1898]: Virus
>> Processing completed at
>> 74864
>> bytes per second
>> May 3 18:56:30 g5 MailScanner[1898]: Disinfection completed at
>> 74864 bytes
>> per second
>>
>> Seems to only still deliver the Sober viruses - all the others are
>> caught as above, but not delivered. This client is running MS 4.34.8
>> and ClamAV 0.83.
>> Am going to have them update to the latest MS stable release and see
>> if they still have this issue.
>>
>>
>
> Can someone send me one of the troublesome messages please?
> Easiest way is to put it on the web and mail me the URL.
>
> --
> Julian Field
> jkf at ecs.soton.ac.uk
> Teaching Systems Manager
> Electronics & Computer Science
> University of Southampton
> SO17 1BJ, UK
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
--
Wess Bechard <mailscanner at eliquid.com>
------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the
website!
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list