ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 5 14:35:22 IST 2005 

What is your Incoming Work Directory set to?
Is it set to /export/home/root/a
If not, then it should be.

On 5 May 2005, at 14:08, Rose, Bobby wrote:

> The issue is not with "detection" nor is it with Sober.P or any
> particular virus.  As I keep saying my testing is using EICAR.  The
> virus is being detected my clamav and logged by MailScanner but
> when the
> virus scanners=clamav, MailScanner is just logging that a virus was
> detected and then turns around and delivers it as an uninfected
> messages.  If all I change in MailScanner.conf is the the scanner to
> clamavmodule, the MailScanner works properly.
>
> People are associating my report with their own issues with Sober.P
> and
> is diluting my report.   Check the archives of my first message on
> this
> thread, it has the log excerpts.  Also, I'm not down because of this
> because all I'm doing now is using clamavmodule instead of clamav
> as the
> virusscanner, but I'm just reporting the problem and my findings.
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
> Behalf Of Martin Hepworth
> Sent: Thursday, May 05, 2005 8:48 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> Rose, Bobby wrote:
>
>> When I posted this issue others jumped on the thread about zip files
>> and have taken this into another direction involving sober.p.  The
>> issue that I was reporting was with "Virus Scanners = clamav" and it
>> didn't matter what the virus was.  My tests was using eicar.doc which
>> was eicar.com just renamed to avoid filename checks.  I included log
>> excerpts in my original message when using "Virus Scanners = clamav"
>>
> and
>
>> when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
>> clamavmodule", then everything works both detection and action.  If I
>> use "Virus Scanners = clamav" then the only thing that works is
>> detection.  It's not clamav since the virus is being detected and
>> MailScannner is logging the detection.  But it's what MailScanner is
>> doing after detection when using clamav versus clamavmodule.  If
>> using
>>
>
>
>> clamavmodule, it's dropping, quarantining, warning, or whatever the
>> actions may be.  If using clamav, it's not doing anything.  It says a
>> the message is infected and then states 1 uninfected message was
>> delivered.
>>
>> Bobby Rose
>> Senior Systems Administrator
>> MSIS Network Operations
>> Wayne State University School of Medicine
>>
>>
>
> Bobby
>
> not specific to MS, also been seen with exim calling clamav without MS
> anywhere....if you can trap the thing please submit it to
> http://cgi.clamav.net/sendvirus.cgi
>
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic Ltd
> tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom
> they are
> addressed. If you have received this email in error please notify the
> system manager.
>
> This footnote confirms that this email message has been swept for the
> presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------ To
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list