ClamAV and MailScanner Bug

Rose, Bobby brose at MED.WAYNE.EDU
Thu May 5 14:08:48 IST 2005 

The issue is not with "detection" nor is it with Sober.P or any
particular virus.  As I keep saying my testing is using EICAR.  The
virus is being detected my clamav and logged by MailScanner but when the
virus scanners=clamav, MailScanner is just logging that a virus was
detected and then turns around and delivers it as an uninfected
messages.  If all I change in MailScanner.conf is the the scanner to
clamavmodule, the MailScanner works properly.  

People are associating my report with their own issues with Sober.P and
is diluting my report.   Check the archives of my first message on this
thread, it has the log excerpts.  Also, I'm not down because of this
because all I'm doing now is using clamavmodule instead of clamav as the
virusscanner, but I'm just reporting the problem and my findings.

-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Martin Hepworth
Sent: Thursday, May 05, 2005 8:48 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug

Rose, Bobby wrote:
> When I posted this issue others jumped on the thread about zip files 
> and have taken this into another direction involving sober.p.  The 
> issue that I was reporting was with "Virus Scanners = clamav" and it 
> didn't matter what the virus was.  My tests was using eicar.doc which 
> was eicar.com just renamed to avoid filename checks.  I included log 
> excerpts in my original message when using "Virus Scanners = clamav"
and
> when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
> clamavmodule", then everything works both detection and action.  If I 
> use "Virus Scanners = clamav" then the only thing that works is 
> detection.  It's not clamav since the virus is being detected and 
> MailScannner is logging the detection.  But it's what MailScanner is 
> doing after detection when using clamav versus clamavmodule.  If using

> clamavmodule, it's dropping, quarantining, warning, or whatever the 
> actions may be.  If using clamav, it's not doing anything.  It says a 
> the message is infected and then states 1 uninfected message was 
> delivered.
>
> Bobby Rose
> Senior Systems Administrator
> MSIS Network Operations
> Wayne State University School of Medicine
>

Bobby

not specific to MS, also been seen with exim calling clamav without MS
anywhere....if you can trap the thing please submit it to
http://cgi.clamav.net/sendvirus.cgi


--
Martin Hepworth
Senior Systems Administrator
Solid State Logic Ltd
tel: +44 (0)1865 842300

**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
system manager.

This footnote confirms that this email message has been swept for the
presence of computer viruses and is believed to be clean.

**********************************************************************

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list