ClamAV and MailScanner Bug

Rose, Bobby brose at MED.WAYNE.EDU
Thu May 5 12:15:09 IST 2005


When I posted this issue others jumped on the thread about zip files and
have taken this into another direction involving sober.p.  The issue
that I was reporting was with "Virus Scanners = clamav" and it didn't
matter what the virus was.  My tests was using eicar.doc which was
eicar.com just renamed to avoid filename checks.  I included log
excerpts in my original message when using "Virus Scanners = clamav" and
when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
clamavmodule", then everything works both detection and action.  If I
use "Virus Scanners = clamav" then the only thing that works is
detection.  It's not clamav since the virus is being detected and
MailScannner is logging the detection.  But it's what MailScanner is
doing after detection when using clamav versus clamavmodule.  If using
clamavmodule, it's dropping, quarantining, warning, or whatever the
actions may be.  If using clamav, it's not doing anything.  It says a
the message is infected and then states 1 uninfected message was
delivered.

Bobby Rose
Senior Systems Administrator
MSIS Network Operations
Wayne State University School of Medicine
 

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Thursday, May 05, 2005 3:55 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug

On 4 May 2005, at 22:16, Chris Stone wrote:

> On Wednesday 04 May 2005 02:57 pm, Julian Field wrote:
>
>> Julian Field wrote:
>> I just tried it with 2 Worm.Sober.P messages from my own servers, and

>> neither of them caused any problem whatsoever. Both caught just fine.
>> Worked with Maximum Archive Depth = 0 and with = 2.
>>
>
> This problem is with MS 4.34.8 and ClamAV 0.83, ClamAV Module (latest 
> from CPAN). Max Archive Depth = 0.

Chris, can you try with the latest MailScanner please. I still cannot
find anything unusual whatsoever. You are running with

Max Archive Depth = 0
Virus Scanners = clamavmodule
ClamAV 0.83

(That's for my reference as people are not being clear as to whether
they are using "clamav" or "clamavmodule".
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list