ClamAV and MailScanner Bug

Julian Field MailScanner at ecs.soton.ac.uk
Thu May 5 17:36:33 IST 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Because of the output created by the virus scanner. The clamavmodule
doesn't create any direct output out of my control, but the clamav
scanner runs clamscan which produces output under its control.

Rose, Bobby wrote:

>Confused by that
>
>My Incoming Work Dir = /var/spool/MailScanner/incoming
>
>Why would that have an effect if all I do is change the virus scanner
>from clamav to clamavmodule to get it to work?
>
>
>
>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>Behalf Of Julian Field
>Sent: Thursday, May 05, 2005 9:35 AM
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: ClamAV and MailScanner Bug
>
>What is your Incoming Work Directory set to?
>Is it set to /export/home/root/a
>If not, then it should be.
>
>On 5 May 2005, at 14:08, Rose, Bobby wrote:
>
>
>
>>The issue is not with "detection" nor is it with Sober.P or any
>>particular virus.  As I keep saying my testing is using EICAR.  The
>>virus is being detected my clamav and logged by MailScanner but when
>>the virus scanners=clamav, MailScanner is just logging that a virus
>>was detected and then turns around and delivers it as an uninfected
>>messages.  If all I change in MailScanner.conf is the the scanner to
>>clamavmodule, the MailScanner works properly.
>>
>>People are associating my report with their own issues with Sober.P
>>and
>>is diluting my report.   Check the archives of my first message on
>>this
>>thread, it has the log excerpts.  Also, I'm not down because of this
>>because all I'm doing now is using clamavmodule instead of clamav as
>>the virusscanner, but I'm just reporting the problem and my findings.
>>
>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On
>>Behalf Of Martin Hepworth
>>Sent: Thursday, May 05, 2005 8:48 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: ClamAV and MailScanner Bug
>>
>>Rose, Bobby wrote:
>>
>>
>>
>>>When I posted this issue others jumped on the thread about zip files
>>>and have taken this into another direction involving sober.p.  The
>>>issue that I was reporting was with "Virus Scanners = clamav" and it
>>>didn't matter what the virus was.  My tests was using eicar.doc which
>>>
>>>
>
>
>
>>>was eicar.com just renamed to avoid filename checks.  I included log
>>>excerpts in my original message when using "Virus Scanners = clamav"
>>>
>>>
>>>
>>and
>>
>>
>>
>>>when "Virus Scanners = clamavmodule".   If I use "Virus Scanners =
>>>clamavmodule", then everything works both detection and action.  If I
>>>
>>>
>
>
>
>>>use "Virus Scanners = clamav" then the only thing that works is
>>>detection.  It's not clamav since the virus is being detected and
>>>MailScannner is logging the detection.  But it's what MailScanner is
>>>doing after detection when using clamav versus clamavmodule.  If
>>>using
>>>
>>>
>>>
>>
>>
>>>clamavmodule, it's dropping, quarantining, warning, or whatever the
>>>actions may be.  If using clamav, it's not doing anything.  It says a
>>>
>>>
>
>
>
>>>the message is infected and then states 1 uninfected message was
>>>delivered.
>>>
>>>Bobby Rose
>>>Senior Systems Administrator
>>>MSIS Network Operations
>>>Wayne State University School of Medicine
>>>
>>>
>>>
>>>
>>Bobby
>>
>>not specific to MS, also been seen with exim calling clamav without MS
>>
>>
>
>
>
>>anywhere....if you can trap the thing please submit it to
>>http://cgi.clamav.net/sendvirus.cgi
>>
>>
>>--
>>Martin Hepworth
>>Senior Systems Administrator
>>Solid State Logic Ltd
>>tel: +44 (0)1865 842300
>>
>>**********************************************************************
>>
>>This email and any files transmitted with it are confidential and
>>intended solely for the use of the individual or entity to whom they
>>are addressed. If you have received this email in error please notify
>>the system manager.
>>
>>This footnote confirms that this email message has been swept for the
>>presence of computer viruses and is believed to be clean.
>>
>>**********************************************************************
>>
>>------------------------ MailScanner list ------------------------ To
>>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>------------------------ MailScanner list ------------------------ To
>>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>
>>
>>
>
>--
>Julian Field
>www.MailScanner.info
>Buy the MailScanner book at www.MailScanner.info/store PGP footprint:
>EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>------------------------ MailScanner list ------------------------ To
>unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and the
>archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the Wiki (http://wiki.mailscanner.info/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list