ClamAV and MailScanner Bug
Julian Field
MailScanner at ecs.soton.ac.uk
Wed May 4 18:47:43 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Can someone with this problem give me remote root ssh access please?
I cannot reproduce the fault on my systems, everything works fine.
But it looks like we have a total failure of ClamAV on some systems,
which I obviously need to look at.
Please mail me off list if you can help me help you.
Thanks.
Rose, Bobby wrote:
>In my first message, I sent some log excerpts. The first one was with
>Virus Scanners = clamav, the logs show that the virus was detected by
>clamav but it was treated as uninfected. If I set it to clamavmodule,
>the second log excerpt, it was detected and treated as infected by
>MailScanner. It happened on both .83 and .84 of clamav but since the
>MailScanner log entry shows the response by clamav in both cases, then
>it doesn't look like a clamav issue.
>
>Running
>/usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
>--tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
>results in
>
>/export/home/root/a/./eicar.com: Eicar-Test-Signature FOUND
>/export/home/root/a/./my_rules_du_jour: OK
>/export/home/root/a/./note.txt: OK
>
>
>
>________________________________
>
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Wednesday, May 04, 2005 9:56 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: ClamAV and MailScanner Bug
>
>
>Any reason why I might not be able to reproduce it?
>
>I used sendmail, the latest MailScanner code and ClamAV 0.83 and 0.84
>and it happily detected both.
>
>So we are saying that on your system ClamAV 0.84 is not being properly
>handled and is missing *all* viruses, even eicar?
>
>Please can you put an eicar.com in a directory, along with a few other
>harmless files and run this:
>
>mkdir /tmp/clamav.temptemp
>chmod go-a /tmp/clamav.temptemp
>/usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
>----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
>
>Obviously the clamscan command should be all one 1 line, and don't
>forget the " ." at the end of the line. And if your clamscan is not in
>/usr/local/bin then adjust the command appropriately.
>
>Please send me the exact output of that.
>
>Also tell me what version of ClamAV you are running.
>
>On 4 May 2005, at 13:57, Wess Bechard wrote:
>
>
> I also had quite a few viruses slip through this way in the past
>few days. I've applied Julian's patch to the VirusSweep.pm already,
>which grabs the empty files, but they still slip through.
>
> On Wed, 2005-05-04 at 07:15 -0400, Rose, Bobby wrote:
>
> Julian,
>
> I'm using sendmail 8.13.3. All I did to duplicate it
>was send a test
> message with an EICAR attachment. If I used clamav by
>itself, then the
> virus is detected but MS still says it's clean and
>delivers it. If I
> switch to clamavmodule, then the virus is detected and
>MS removes the
> message id from it's array of ones to be deliverer. If
>I used a sophos
> as a secondary scanner to clamav then virus is also
>detected and stopped
> but I think that is because it's acting on the sophos
>detection and not
> the clamav.
>
> -----Original Message-----
> From: MailScanner mailing list
>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: Wednesday, May 04, 2005 4:19 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> Also, is it specific to one MTA?
> Looks like you are using Postfix. What is anyone else
>with this problem
> running?
>
> On 4 May 2005, at 09:04, Julian Field wrote:
>
> > On 4 May 2005, at 00:16, Chris Stone wrote:
> >
> >
> >> On Tuesday 03 May 2005 04:18 pm, Peter Bonivart
>wrote:
> >>
> >>
> >>> Scott Silva wrote:
> >>>
> >>>
> >>>> Rose, Bobby wrote:
> >>>>
> >>>>
> >>>>> So no one else is seeing this problem? I'm
>talking about onlying
> >>>>> clamav as the scanner....no others and not
>clamavmodule.
> >>>>>
> >>>>>
> >>>>
> >>>> Maybe only a Solaris 8 problem.
> >>>>
> >>>>
> >>>
> >>> No. I'm using Solaris with Clam and I'm not having
>any problems.
> >>>
> >>>
> >>
> >> I am seeing problems under OSX:
> >>
> >> May 3 18:56:29 g5
> >> MailScanner[1898]:
>/private/var/spool/MailScanner/incoming/
> >> 1898/./9F050BA0A85C/error-mail_info.zip:
> >> Worm.Sober.P FOUND
> >> May 3 18:56:29 g5 MailScanner[1898]: Virus Scanning:
>ClamAV found 1
> >> infections May 3 18:56:30 g5 MailScanner[1898]:
>Virus Scanning
> >> completed at
> >> 37432 bytes
> >> per second
> >> May 3 18:56:30 g5 MailScanner[1898]: Requeue:
>9F050BA0A85C to
> >> C3AB7BA0A920 May 3 18:56:30 g5 MailScanner[1898]:
>Uninfected:
> >> Delivered 1 messages May 3 18:56:30 g5
>MailScanner[1898]: Virus
> >> Processing completed at
> >> 74864
> >> bytes per second
> >> May 3 18:56:30 g5 MailScanner[1898]: Disinfection
>completed at
> >> 74864 bytes
> >> per second
> >>
> >> Seems to only still deliver the Sober viruses - all
>the others are
> >> caught as above, but not delivered. This client is
>running MS 4.34.8
> >> and ClamAV 0.83.
> >> Am going to have them update to the latest MS stable
>release and see
> >> if they still have this issue.
> >>
> >>
> >
> > Can someone send me one of the troublesome messages
>please?
> > Easiest way is to put it on the web and mail me the
>URL.
> >
> > --
> > Julian Field
> > jkf at ecs.soton.ac.uk
> > Teaching Systems Manager
> > Electronics & Computer Science
> > University of Southampton
> > SO17 1BJ, UK
> >
> > ------------------------ MailScanner list
>------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the
>words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the Wiki
>(http://wiki.mailscanner.info/) and
> > the archives
>(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the
>website!
> >
> >
>
> --
> Julian Field
> jkf at ecs.soton.ac.uk
> Teaching Systems Manager
> Electronics & Computer Science
> University of Southampton
> SO17 1BJ, UK
>
> ------------------------ MailScanner list
>------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
>words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki
>(http://wiki.mailscanner.info/) and
> the archives
>(http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the
>website!
>
> ------------------------ MailScanner list
>------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the
>words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki
>(http://wiki.mailscanner.info/) and
> the archives
>(http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the
>website!
>
>
> --
> Wess Bechard <mailscanner at eliquid.com>
> ------------------------ MailScanner list
>------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/)
> and the archives
>(http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>
>
>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list