ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 5 14:34:25 IST 2005 

It will say it has found something when it saw some likely looking
output from clamscan. It is only later, when it tries to tie up all
the reported filenames with the actual files in the email message,
can it prove accurately whether the message was infected, and which
bits were infected.

On 5 May 2005, at 13:57, Rose, Bobby wrote:

> I did this earlier and replied with the results.  If it's clamscan
> then
> why would MailScanner log that the virus has been detected?
>
> Running
> /usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
> --tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
> results in
>
> /export/home/root/a/./eicar.com: Eicar-Test-Signature FOUND
> /export/home/root/a/./my_rules_du_jour: OK
> /export/home/root/a/./note.txt: OK
>
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Julian Field
> Sent: Thursday, May 05, 2005 8:45 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> Can you try the commands I posted a while ago:
>
>
>> mkdir /tmp/clamav.temptemp
>> chmod go-a /tmp/clamav.temptemp
>> /usr/local/bin/clamscan --unzip --jar --tar --tgz --deb
>> ----tempdir=/tmp/clamav.temptemp -r --disable-summary --stdout .
>>
>
> with a copy of EICAR in the directory along with a few uninfected
> files.
> Something is going seriously wrong with your copy of clamscan.
>
> Please tell me what the line in your /etc/MailScanner/
> virus.scanners.conf says about clamav. Also please check that your
> Incoming Work Directory path has no links in it. This is by far the
> most
> common error and would explain your symptoms.
>
> On 5 May 2005, at 12:15, Rose, Bobby wrote:
>
>
>> When I posted this issue others jumped on the thread about zip files
>> and have taken this into another direction involving sober.p.  The
>> issue that I was reporting was with "Virus Scanners = clamav" and it
>> didn't matter what the virus was.  My tests was using eicar.doc which
>> was eicar.com just renamed to avoid filename checks.  I included log
>> excerpts in my original message when using "Virus Scanners = clamav"
>> and
>> when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
>> clamavmodule", then everything works both detection and action.  If I
>> use "Virus Scanners = clamav" then the only thing that works is
>> detection.  It's not clamav since the virus is being detected and
>> MailScannner is logging the detection.  But it's what MailScanner is
>> doing after detection when using clamav versus clamavmodule.  If
>> using
>>
>
>
>> clamavmodule, it's dropping, quarantining, warning, or whatever the
>> actions may be.  If using clamav, it's not doing anything.  It says a
>> the message is infected and then states 1 uninfected message was
>> delivered.
>>
>> Bobby Rose
>> Senior Systems Administrator
>> MSIS Network Operations
>> Wayne State University School of Medicine
>>
>>
>> -----Original Message-----
>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>> Behalf Of Julian Field
>> Sent: Thursday, May 05, 2005 3:55 AM
>> To: MAILSCANNER at JISCMAIL.AC.UK
>> Subject: Re: ClamAV and MailScanner Bug
>>
>> On 4 May 2005, at 22:16, Chris Stone wrote:
>>
>>
>>
>>> On Wednesday 04 May 2005 02:57 pm, Julian Field wrote:
>>>
>>>
>>>
>>>> Julian Field wrote:
>>>> I just tried it with 2 Worm.Sober.P messages from my own servers,
>>>> and
>>>>
>>>>
>>
>>
>>
>>>> neither of them caused any problem whatsoever. Both caught just
>>>> fine.
>>>> Worked with Maximum Archive Depth = 0 and with = 2.
>>>>
>>>>
>>>>
>>>
>>> This problem is with MS 4.34.8 and ClamAV 0.83, ClamAV Module
>>> (latest
>>>
>
>
>>> from CPAN). Max Archive Depth = 0.
>>>
>>>
>>
>> Chris, can you try with the latest MailScanner please. I still cannot
>> find anything unusual whatsoever. You are running with
>>
>> Max Archive Depth = 0
>> Virus Scanners = clamavmodule
>> ClamAV 0.83
>>
>> (That's for my reference as people are not being clear as to whether
>> they are using "clamav" or "clamavmodule".
>> --
>> Julian Field
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
>> EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>> ------------------------ MailScanner list ------------------------ To
>> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>> ------------------------ MailScanner list ------------------------ To
>> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
> EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list