Problem with ClamAVModule

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Wed Oct 26 21:01:03 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Hello,

I started using ClamAV recently and just noticed the following:
Oct 26 15:06:55 132.210.244.90 sendmail[27535]: j9QJ6iY3027535: 
from=<Kontounterstutzung02 at vr-networld.de>, size=29459, class=0, 
nrcpts=1, msgid=<001601c5da60$60144486$18af6650 at xx-xqth3pasqtbn>, 
proto=SMTP, daemon=MTA, relay=80-102-175-24.bcn1.adsl.uni2.es 
[80.102.175.24]
Oct 26 15:06:55 132.210.244.90 sendmail[27535]: j9QJ6iY3027535: 
to=<user at USherbrooke.ca>, delay=00:00:05, mailer=relay, pri=59459, 
stat=queued
Oct 26 15:06:59 132.210.244.90 MailScanner[28920]: Message 
j9QJ6iY3027535 from 80.102.175.24 (kontounterstutzung02 at vr-networld.de) 
to usherbrooke.ca is est un polluriel, SpamAssassin (score=10.283, 
requis 5, BAYES_50 0.00, DCC_CHECK 2.17, HTML_90_100 0.02, 
HTML_FONT_LOW_CONTRAST 0.79, HTML_IMAGE_ONLY_08 3.04, HTML_MESSAGE 0.00, 
INVALID_DATE 0.24, J_CHICKENPOX_27 0.60, J_CHICKENPOX_31 0.60, 
J_CHICKENPOX_52 0.60, MIME_QP_LONG_LINE 0.04, NO_REAL_NAME 0.01, 
RCVD_IN_NJABL_DUL 0.09, RCVD_IN_SORBS_DUL 1.99, WEIRD_PORT 0.11)
Oct 26 15:07:03 132.210.244.90 MailScanner[28920]: Spam Actions: message 
j9QJ6iY3027535 actions are attachment,deliver
Oct 26 15:07:08 132.210.244.90 MailScanner[28920]: 
ClamAVModule::INFECTED:: HTML.Phishing.Bank-1:: 
./j9QJ6iY3027535/msg-28920-1410.html
Oct 26 15:07:08 132.210.244.90 MailScanner[28920]: Infected message 
j9QJ6iY3027535 came from 80.102.175.24
Oct 26 15:07:08 132.210.244.90 MailScanner[28920]: <A> tag found in 
message j9QJ6iY3027535 from kontounterstutzung02 at vr-networld.de


The line troubling me is the one with "actions are attachment,deliver".  
Why has it been delivered if Clam detected an infection?

My setup is as follows:
Virus Scanners = mcafee bitdefender clamavmodule
Silent Viruses = All-Viruses HTML-IFrame HTML-Codebase HTML-Form HTML-Script
Still Deliver Silent Viruses = %rules-dir%/virus.to.quarantine.rules

and rules/virus.to.quarantine.rules :
Virus:  Win32    no
Virus:  W32/     no
Virus:  Phish-BankFraud     no
Virus:  HTML.Phishing       no
Virus:  Exploit.HTML.IFrame no
Virus:  Worm     no
Virus:  BackDoor- no
Virus:  default yes

So, do I have a problem with Clam or MS? 

Relevant versions follow...
ClamAV 0.87/1148/Tue Oct 25 15:34:12 2005
This is Red Hat Enterprise Linux AS release 3 (Taroon Update 6)
This is Perl version 5.008000 (5.8.0)
This is MailScanner version 4.44.6
0.17    Mail::ClamAV

Thanks!

Denis

-- 
   _
  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list