ClamAV and MailScanner Bug
Rose, Bobby
brose at MED.WAYNE.EDU
Wed May 4 18:28:12 IST 2005
In my first message, I sent some log excerpts. The first one was with
Virus Scanners = clamav, the logs show that the virus was detected by
clamav but it was treated as uninfected. If I set it to clamavmodule,
the second log excerpt, it was detected and treated as infected by
MailScanner. It happened on both .83 and .84 of clamav but since the
MailScanner log entry shows the response by clamav in both cases, then
it doesn't look like a clamav issue.
Running
/usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
--tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
results in
/export/home/root/a/./eicar.com: Eicar-Test-Signature FOUND
/export/home/root/a/./my_rules_du_jour: OK
/export/home/root/a/./note.txt: OK
________________________________
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 04, 2005 9:56 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug
Any reason why I might not be able to reproduce it?
I used sendmail, the latest MailScanner code and ClamAV 0.83 and 0.84
and it happily detected both.
So we are saying that on your system ClamAV 0.84 is not being properly
handled and is missing *all* viruses, even eicar?
Please can you put an eicar.com in a directory, along with a few other
harmless files and run this:
mkdir /tmp/clamav.temptemp
chmod go-a /tmp/clamav.temptemp
/usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
Obviously the clamscan command should be all one 1 line, and don't
forget the " ." at the end of the line. And if your clamscan is not in
/usr/local/bin then adjust the command appropriately.
Please send me the exact output of that.
Also tell me what version of ClamAV you are running.
On 4 May 2005, at 13:57, Wess Bechard wrote:
I also had quite a few viruses slip through this way in the past
few days. I've applied Julian's patch to the VirusSweep.pm already,
which grabs the empty files, but they still slip through.
On Wed, 2005-05-04 at 07:15 -0400, Rose, Bobby wrote:
Julian,
I'm using sendmail 8.13.3. All I did to duplicate it
was send a test
message with an EICAR attachment. If I used clamav by
itself, then the
virus is detected but MS still says it's clean and
delivers it. If I
switch to clamavmodule, then the virus is detected and
MS removes the
message id from it's array of ones to be deliverer. If
I used a sophos
as a secondary scanner to clamav then virus is also
detected and stopped
but I think that is because it's acting on the sophos
detection and not
the clamav.
-----Original Message-----
From: MailScanner mailing list
[mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Wednesday, May 04, 2005 4:19 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug
Also, is it specific to one MTA?
Looks like you are using Postfix. What is anyone else
with this problem
running?
On 4 May 2005, at 09:04, Julian Field wrote:
> On 4 May 2005, at 00:16, Chris Stone wrote:
>
>
>> On Tuesday 03 May 2005 04:18 pm, Peter Bonivart
wrote:
>>
>>
>>> Scott Silva wrote:
>>>
>>>
>>>> Rose, Bobby wrote:
>>>>
>>>>
>>>>> So no one else is seeing this problem? I'm
talking about onlying
>>>>> clamav as the scanner....no others and not
clamavmodule.
>>>>>
>>>>>
>>>>
>>>> Maybe only a Solaris 8 problem.
>>>>
>>>>
>>>
>>> No. I'm using Solaris with Clam and I'm not having
any problems.
>>>
>>>
>>
>> I am seeing problems under OSX:
>>
>> May 3 18:56:29 g5
>> MailScanner[1898]:
/private/var/spool/MailScanner/incoming/
>> 1898/./9F050BA0A85C/error-mail_info.zip:
>> Worm.Sober.P FOUND
>> May 3 18:56:29 g5 MailScanner[1898]: Virus Scanning:
ClamAV found 1
>> infections May 3 18:56:30 g5 MailScanner[1898]:
Virus Scanning
>> completed at
>> 37432 bytes
>> per second
>> May 3 18:56:30 g5 MailScanner[1898]: Requeue:
9F050BA0A85C to
>> C3AB7BA0A920 May 3 18:56:30 g5 MailScanner[1898]:
Uninfected:
>> Delivered 1 messages May 3 18:56:30 g5
MailScanner[1898]: Virus
>> Processing completed at
>> 74864
>> bytes per second
>> May 3 18:56:30 g5 MailScanner[1898]: Disinfection
completed at
>> 74864 bytes
>> per second
>>
>> Seems to only still deliver the Sober viruses - all
the others are
>> caught as above, but not delivered. This client is
running MS 4.34.8
>> and ClamAV 0.83.
>> Am going to have them update to the latest MS stable
release and see
>> if they still have this issue.
>>
>>
>
> Can someone send me one of the troublesome messages
please?
> Easiest way is to put it on the web and mail me the
URL.
>
> --
> Julian Field
> jkf at ecs.soton.ac.uk
> Teaching Systems Manager
> Electronics & Computer Science
> University of Southampton
> SO17 1BJ, UK
>
> ------------------------ MailScanner list
------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki
(http://wiki.mailscanner.info/) and
> the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the
website!
>
>
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK
------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki
(http://wiki.mailscanner.info/) and
the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the
website!
------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the
words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki
(http://wiki.mailscanner.info/) and
the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the
website!
--
Wess Bechard <mailscanner at eliquid.com>
------------------------ MailScanner list
------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
--
Julian Field
jkf at ecs.soton.ac.uk
Teaching Systems Manager
Electronics & Computer Science
University of Southampton
SO17 1BJ, UK
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list