ClamAV and MailScanner Bug

Rose, Bobby brose at MED.WAYNE.EDU
Thu May 5 14:58:12 IST 2005


Confused by that 

My Incoming Work Dir = /var/spool/MailScanner/incoming
 
Why would that have an effect if all I do is change the virus scanner
from clamav to clamavmodule to get it to work?



-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
Behalf Of Julian Field
Sent: Thursday, May 05, 2005 9:35 AM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: ClamAV and MailScanner Bug

What is your Incoming Work Directory set to?
Is it set to /export/home/root/a
If not, then it should be.

On 5 May 2005, at 14:08, Rose, Bobby wrote:

> The issue is not with "detection" nor is it with Sober.P or any 
> particular virus.  As I keep saying my testing is using EICAR.  The 
> virus is being detected my clamav and logged by MailScanner but when 
> the virus scanners=clamav, MailScanner is just logging that a virus 
> was detected and then turns around and delivers it as an uninfected 
> messages.  If all I change in MailScanner.conf is the the scanner to 
> clamavmodule, the MailScanner works properly.
>
> People are associating my report with their own issues with Sober.P 
> and
> is diluting my report.   Check the archives of my first message on
> this
> thread, it has the log excerpts.  Also, I'm not down because of this 
> because all I'm doing now is using clamavmodule instead of clamav as 
> the virusscanner, but I'm just reporting the problem and my findings.
>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On 
> Behalf Of Martin Hepworth
> Sent: Thursday, May 05, 2005 8:48 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: ClamAV and MailScanner Bug
>
> Rose, Bobby wrote:
>
>> When I posted this issue others jumped on the thread about zip files 
>> and have taken this into another direction involving sober.p.  The 
>> issue that I was reporting was with "Virus Scanners = clamav" and it 
>> didn't matter what the virus was.  My tests was using eicar.doc which

>> was eicar.com just renamed to avoid filename checks.  I included log 
>> excerpts in my original message when using "Virus Scanners = clamav"
>>
> and
>
>> when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
>> clamavmodule", then everything works both detection and action.  If I

>> use "Virus Scanners = clamav" then the only thing that works is 
>> detection.  It's not clamav since the virus is being detected and 
>> MailScannner is logging the detection.  But it's what MailScanner is 
>> doing after detection when using clamav versus clamavmodule.  If 
>> using
>>
>
>
>> clamavmodule, it's dropping, quarantining, warning, or whatever the 
>> actions may be.  If using clamav, it's not doing anything.  It says a

>> the message is infected and then states 1 uninfected message was 
>> delivered.
>>
>> Bobby Rose
>> Senior Systems Administrator
>> MSIS Network Operations
>> Wayne State University School of Medicine
>>
>>
>
> Bobby
>
> not specific to MS, also been seen with exim calling clamav without MS

> anywhere....if you can trap the thing please submit it to 
> http://cgi.clamav.net/sendvirus.cgi
>
>
> --
> Martin Hepworth
> Senior Systems Administrator
> Solid State Logic Ltd
> tel: +44 (0)1865 842300
>
> **********************************************************************
>
> This email and any files transmitted with it are confidential and 
> intended solely for the use of the individual or entity to whom they 
> are addressed. If you have received this email in error please notify 
> the system manager.
>
> This footnote confirms that this email message has been swept for the 
> presence of computer viruses and is believed to be clean.
>
> **********************************************************************
>
> ------------------------ MailScanner list ------------------------ To 
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the 
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> ------------------------ MailScanner list ------------------------ To 
> unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and the 
> archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------ To
unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list