ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Wed May 4 18:09:55 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Please can someone do this? I can't fix it until I have some evidence to
show what output you are getting.
Also, while you are at it, please tell me what you have set in the
"Incoming Work Directory" in MailScanner.conf. A change in how ClamAV
follows directory paths would be an obvious change they might have made.

Julian Field wrote:

> Any reason why I might not be able to reproduce it?
>
> I used sendmail, the latest MailScanner code and ClamAV 0.83 and 0.84
> and it happily detected both.
>
> So we are saying that on your system ClamAV 0.84 is not being properly
> handled and is missing *all* viruses, even eicar?
>
> Please can you put an eicar.com in a directory, along with a few other
> harmless files and run this:
>
> mkdir /tmp/clamav.temptemp
> chmod go-a /tmp/clamav.temptemp
> /usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
> ----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
>
> Obviously the clamscan command should be all one 1 line, and don't
> forget the " ." at the end of the line. And if your clamscan is not in
> /usr/local/bin then adjust the command appropriately.
>
> Please send me the exact output of that.
>
> Also tell me what version of ClamAV you are running.
>
> On 4 May 2005, at 13:57, Wess Bechard wrote:
>
>> I also had quite a few viruses slip through this way in the past few
>> days.  I've applied Julian's patch to the VirusSweep.pm already,
>> which grabs the empty files, but they still slip through.
>>
>> On Wed, 2005-05-04 at 07:15 -0400, Rose, Bobby wrote:
>>
>>>Julian,
>>>
>>>I'm using sendmail 8.13.3.  All I did to duplicate it was send a test
>>>message with an EICAR attachment.  If I used clamav by itself, then the
>>>virus is detected but MS still says it's clean and delivers it.  If I
>>>switch to clamavmodule, then the virus is detected and MS removes the
>>>message id from it's array of ones to be deliverer.  If I used a sophos
>>>as a secondary scanner to clamav then virus is also detected and stopped
>>>but I think that is because it's acting on the sophos detection and not
>>>the clamav.
>>>
>>>-----Original Message-----
>>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK <mailto:MAILSCANNER at JISCMAIL.AC.UK>] On
>>>Behalf Of Julian Field
>>>Sent: Wednesday, May 04, 2005 4:19 AM
>>>To: MAILSCANNER at JISCMAIL.AC.UK <mailto:MAILSCANNER at JISCMAIL.AC.UK>
>>>Subject: Re: ClamAV and MailScanner Bug
>>>
>>>Also, is it specific to one MTA?
>>>Looks like you are using Postfix. What is anyone else with this problem
>>>running?
>>>
>>>On 4 May 2005, at 09:04, Julian Field wrote:
>>>
>>>> On 4 May 2005, at 00:16, Chris Stone wrote:
>>>>
>>>>
>>>>> On Tuesday 03 May 2005 04:18 pm, Peter Bonivart wrote:
>>>>>
>>>>>
>>>>>> Scott Silva wrote:
>>>>>>
>>>>>>
>>>>>>> Rose, Bobby wrote:
>>>>>>>
>>>>>>>
>>>>>>>> So no one else is seeing this problem?  I'm talking about onlying
>>>>>>>> clamav as the scanner....no others and not clamavmodule.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Maybe only a Solaris 8 problem.
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> No. I'm using Solaris with Clam and I'm not having any problems.
>>>>>>
>>>>>>
>>>>>
>>>>> I am seeing problems under OSX:
>>>>>
>>>>> May  3 18:56:29 g5
>>>>> MailScanner[1898]: /private/var/spool/MailScanner/incoming/
>>>>> 1898/./9F050BA0A85C/error-mail_info.zip:
>>>>> Worm.Sober.P FOUND
>>>>> May  3 18:56:29 g5 MailScanner[1898]: Virus Scanning: ClamAV found 1
>>>>> infections May  3 18:56:30 g5 MailScanner[1898]: Virus Scanning
>>>>> completed at
>>>>> 37432 bytes
>>>>> per second
>>>>> May  3 18:56:30 g5 MailScanner[1898]: Requeue: 9F050BA0A85C to
>>>>> C3AB7BA0A920 May  3 18:56:30 g5 MailScanner[1898]: Uninfected:
>>>>> Delivered 1 messages May  3 18:56:30 g5 MailScanner[1898]: Virus
>>>>> Processing completed at
>>>>> 74864
>>>>> bytes per second
>>>>> May  3 18:56:30 g5 MailScanner[1898]: Disinfection completed at
>>>>> 74864 bytes
>>>>> per second
>>>>>
>>>>> Seems to only still deliver the Sober viruses - all the others are
>>>>> caught as above, but not delivered. This client is running MS 4.34.8
>>>>> and ClamAV 0.83.
>>>>> Am going to have them update to the latest MS stable release and see
>>>>> if they still have this issue.
>>>>>
>>>>>
>>>>
>>>> Can someone send me one of the troublesome messages please?
>>>> Easiest way is to put it on the web and mail me the URL.
>>>>
>>>> --
>>>> Julian Field
>>>> jkf at ecs.soton.ac.uk <mailto:jkf at ecs.soton.ac.uk>
>>>> Teaching Systems Manager
>>>> Electronics & Computer Science
>>>> University of Southampton
>>>> SO17 1BJ, UK
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk <mailto:jiscmail at jiscmail.ac.uk> with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>
>>>--
>>>Julian Field
>>>jkf at ecs.soton.ac.uk <mailto:jkf at ecs.soton.ac.uk>
>>>Teaching Systems Manager
>>>Electronics & Computer Science
>>>University of Southampton
>>>SO17 1BJ, UK
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk <mailto:jiscmail at jiscmail.ac.uk> with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk <mailto:jiscmail at jiscmail.ac.uk> with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>> --
>> Wess Bechard <mailscanner at eliquid.com <mailto:mailscanner at eliquid.com>>
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/)
>> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> *Support MailScanner development - buy the book off the website!*
>
>
> --
> Julian Field
> jkf at ecs.soton.ac.uk <mailto:jkf at ecs.soton.ac.uk>
> Teaching Systems Manager
> Electronics & Computer Science
> University of Southampton
> SO17 1BJ, UK
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> *Support MailScanner development - buy the book off the website!*


--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list