ClamAV and MailScanner Bug
Michael H. Martel
martelm at QUARK.VSC.EDU
Wed May 4 18:26:11 IST 2005
--On Wednesday, May 4, 2005 6:09 PM +0100 Julian Field
<MailScanner at ECS.SOTON.AC.UK> wrote:
> Please can someone do this? I can't fix it until I have some evidence to
> show what output you are getting.
> Also, while you are at it, please tell me what you have set in the
> "Incoming Work Directory" in MailScanner.conf. A change in how ClamAV
> follows directory paths would be an obvious change they might have made.
Incoming Work Dir = /var/spool/MailScanner/incoming
Something like this Julian ?
ClamAV devel-20050504/867/Wed May 4 10:08:12 2005
[root at hemlock tmp]# /usr/local/bin/clamscan --unzip --jar --tgz --deb
--tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
/tmp/./.807.68006d: OK
/tmp/./McAfeeBusy.lock: OK
/tmp/./BitdefenderBusy.lock: OK
/tmp/./.807.680055: OK
/tmp/./backhair.cf: OK
/tmp/./FProtBusy.lock: OK
/tmp/./.807.680061: OK
/tmp/./weeds.cf: OK
/tmp/./mangled.cf: OK
/tmp/./session_mm_apache0.sem: Empty file
/tmp/./.807.7d40a4: OK
/tmp/./.807.680074: OK
/tmp/./.807.680056: OK
/tmp/./.807.680058: OK
/tmp/./70_sare_evilnum0.cf: OK
/tmp/./70_sare_evilnum1.cf: OK
/tmp/./70_sare_evilnum2.cf: OK
/tmp/./70_sare_header0.cf: OK
/tmp/./70_sare_specific.cf: OK
/tmp/./70_sare_adult.cf: OK
/tmp/./72_sare_bml_post25x.cf: OK
/tmp/./99_sare_fraud_post25x.cf: OK
/tmp/./70_sare_spoof.cf: OK
/tmp/./72_sare_redirect_post3.0.0.cf: OK
/tmp/./70_sare_bayes_poison_nxm.cf: OK
/tmp/./.807.464031: OK
/tmp/./ClamAV.update.log: OK
/tmp/./70_sare_oem.cf: OK
/tmp/./70_sare_genlsubj0.cf: OK
/tmp/./70_sare_uri0.cf: OK
/tmp/./70_sare_uri_eng.cf: OK
/tmp/./bogus-virus-warnings.cf: OK
/tmp/./ClamAVBusy.lock: OK
/tmp/./.807.680059: OK
/tmp/./.807.680066: OK
/tmp/./.807.68005c: OK
/tmp/./.807.680060: OK
/tmp/./.807.68006b: OK
/tmp/./.807.7340e9: OK
/tmp/./.807.680070: OK
/tmp/./.807.680064: OK
/tmp/./.807.680063: OK
/tmp/./.807.6f40e5: OK
/tmp/./.807.680057: OK
/tmp/./.807.680073: OK
/tmp/./.807.68006c: OK
/tmp/./.807.680068: OK
/tmp/./.807.680072: OK
/tmp/./.807.680065: OK
/tmp/./clamav.temptemp/20050504/j447Ihp4013026/message: HTML.Phishing.Pay-8
FOUND
/tmp/./clamav.temptemp/20050504/j447Ihp4013026/msg-3914-54.html:
HTML.Phishing.Pay-8 FOUND
/tmp/./clamav.temptemp/20050504/j449Ar6U019205/message: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j449Ar6U019205/Winzipped-Text.pif: Empty
file
/tmp/./clamav.temptemp/20050504/j449Ar6U019205/our_secret.zip: Worm.Sober.P
FOUND
/tmp/./clamav.temptemp/20050504/j449Ar6U019205/Winzipped-Text_Data.txt
.pif: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j449f8aJ020807/message:
HTML.Phishing.Pay-35 FOUND
/tmp/./clamav.temptemp/20050504/j449f8aJ020807/msg-15153-24.html:
HTML.Phishing.Pay-35 FOUND
/tmp/./clamav.temptemp/20050504/j44BLqDt006202/message: Worm.SomeFool.P
FOUND
/tmp/./clamav.temptemp/20050504/j44BLqDt006202/word_doc.zip:
Worm.SomeFool.P FOUND
/tmp/./clamav.temptemp/20050504/j44BLqDt006202/details.txt .pif:
Worm.SomeFool.P FOUND
/tmp/./clamav.temptemp/20050504/j44BMbfM006269/message: Exploit.HTML.IFrame
FOUND
/tmp/./clamav.temptemp/20050504/j44BMbfM006269/msg-2327-33.html:
Exploit.HTML.IFrame FOUND
/tmp/./clamav.temptemp/20050504/j44BMbfM006269/message.scr: Worm.SomeFool.P
FOUND
/tmp/./clamav.temptemp/20050504/j44Curox014548/message: Worm.SomeFool.P
FOUND
/tmp/./clamav.temptemp/20050504/j44Curox014548/id43342.doc .pif:
Worm.SomeFool.P FOUND
/tmp/./clamav.temptemp/20050504/j44DfxGf019098/message: OK
/tmp/./clamav.temptemp/20050504/j44DfxGf019098/Neverdisturbyourhusband.asf:
OK
/tmp/./clamav.temptemp/20050504/j44DtlWD020928/message: Worm.Mydoom.I FOUND
/tmp/./clamav.temptemp/20050504/j44DtlWD020928/attachment.htm.scr:
Worm.Mydoom.I FOUND
/tmp/./clamav.temptemp/20050504/j44DtlWD020928/attachment.zip:
Worm.Mydoom.I FOUND
/tmp/./clamav.temptemp/20050504/j44E0Yxt021373/message: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44E0Yxt021373/Winzipped-Text.pif: Empty
file
/tmp/./clamav.temptemp/20050504/j44E0Yxt021373/Winzipped-Text_Data.txt
.pif: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44E0Yxt021373/account_info-text.zip:
Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44E7Vvu022006/message: OK
/tmp/./clamav.temptemp/20050504/j44E7Vvu022006/duhhh.asf: OK
/tmp/./clamav.temptemp/20050504/j44EOc7I023771/message:
HTML.Phishing.Bank-83 FOUND
/tmp/./clamav.temptemp/20050504/j44EOc7I023771/msg-2304-191.html:
HTML.Phishing.Bank-83 FOUND
/tmp/./clamav.temptemp/20050504/j44Elq4T026297/message:
HTML.Phishing.Bank-83 FOUND
/tmp/./clamav.temptemp/20050504/j44Elq4T026297/msg-23839-16.html:
HTML.Phishing.Bank-83 FOUND
/tmp/./clamav.temptemp/20050504/j44FPIC4030854/message: OK
/tmp/./clamav.temptemp/20050504/j44FPIC4030854/DOCUMENT.pif: OK
/tmp/./clamav.temptemp/20050504/j44G0ous003158/message: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44G0ous003158/account_info.zip:
Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44G0ous003158/Winzipped-Text.pif: Empty
file
/tmp/./clamav.temptemp/20050504/j44G0ous003158/Winzipped-Text_Data.txt
.pif: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44G59xC003769/message: Worm.Sober.P FOUND
/tmp/./clamav.temptemp/20050504/j44G59xC003769/Winzipped-Text.pif: Empty
file
/tmp/./clamav.temptemp/20050504/j44G59xC003769/our_secret.zip: Worm.Sober.P
FOUND
/tmp/./clamav.temptemp/20050504/j44G59xC003769/Winzipped-Text_Data.txt
.pif: Worm.Sober.P FOUND
[root at hemlock tmp]#
Michael
--
--------------------------------o---------------------------------
Michael H. Martel | Systems Administrator
michael.martel at vsc.edu | Vermont State Colleges
http://www.vsc.edu/~michael | PH:802-241-2544 FX:802-241-3363
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list