Problem with ClamAVModule

Denis Beauchemin Denis.Beauchemin at USHERBROOKE.CA
Thu Oct 27 19:12:37 IST 2005

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Denis Beauchemin wrote:

> Julian Field wrote:
>> On 27 Oct 2005, at 14:01, John Wilcock wrote:
>>> Denis Beauchemin wrote:
>>>> John Wilcock wrote:
>>>>> Looks like your clamav is using a French locale, whereas  
>>>>> MailScanner is no doubt looking for clam's standard English  
>>>>> messages...
>>>> ClamAV's message is in English:
>>>> Oct 26 15:07:08 MailScanner[28920]:  
>>>> ClamAVModule::INFECTED:: HTML.Phishing.Bank-1:: ./j9QJ6iY3027535/ 
>>>> msg-28920-1410.html
>>>> I agree that MS runs with French locale but it doesn't cause any  
>>>> problem with McAfee or Bitdefender.  Why would it act this way  
>>>> with ClamAV?
>>> Sorry, I had a vague recollection of problems parsing certain virus  
>>> scanner output with the system locale set to French, but on closer  
>>> inspection I think I was barking up the wrong tree there.
>> When using either of the module-based virus scanners, the output you  
>> are seeing from Clam is actually generated by MailScanner itself, 
>> and  there is no provision for translation of the syntax of these 
>> lines.  So, though it might be a problem when using "clamav", the 
>> locale does  not affect "clamavmodule" or "sophossavi".
> Julian,
> Then how could we explain the fact that MS logged an infected file but 
> sent it anyways to the user?  Do I have something amiss in my config?
> Denis

I may have been fooled by MS' messages...  I think MS did the right 
thing (not deliver the message) because I have no sendmail entry in my 
maillog with stat=sent...  for that message ID; just the stat=queued as 
seen in the next example (dates and times omitted to help ligibility):

sendmail[1259]: j9RA07iO001259: from=<Unterstutzung23 at>, 
size=29433, class=0, nrcpts=1, 
msgid=<001a01c5dadd$3a4c2ae8$a24dfea9 at jlbt-qjhfa1lk9x>, proto=SMTP, 
daemon=MTA, relay=[]
sendmail[1259]: j9RA07iO001259: to=<user>, delay=00:00:23, mailer=relay, 
pri=59433, stat=queued
MailScanner[1586]: New Batch: Scanning 2 messages, 14615113 bytes
MailScanner[1586]: Spam Checks: Starting
MailScanner[1586]: Message j9RA07iO001259 from 
(unterstutzung23 at to is est un 
polluriel, SpamAssassin (score=15.839, requis 5, BAYES_99 3.50, 
DCC_CHECK 2.17, HTML_90_100 0.02, HTML_FONT_LOW_CONTRAST 0.79, 
MailScanner[1586]: Spam Checks: Found 1 spam messages
MailScanner[1586]: Spam Actions: message j9RA07iO001259 actions are 
MailScanner[1586]: Virus and Content Scanning: Starting
MailScanner[1586]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1:: 
MailScanner[1586]: Virus Scanning: ClamAV Module found 1 infections
MailScanner[1586]: Infected message j9RA07iO001259 came from
MailScanner[1586]: Virus Scanning: Found 1 viruses
MailScanner[1586]: <A> tag found in message j9RA07iO001259 from 
unterstutzung23 at
MailScanner[1586]: Found ip-based phishing fraud from in j9RA07iO001259
MailScanner[1586]: Found ip-based phishing fraud from in j9RA07iO001259
MailScanner[1586]: Content Checks: Detected and have disarmed phishing 
tags in HTML message in j9RA07iO001259 from unterstutzung23 at
MailScanner[1586]: Viruses marked as silent: ClamAV Module: 
msg-1586-250.html was infected: HTML.Phishing.Bank-1
MailScanner[1586]: Uninfected: Delivered 1 messages


  °v°   Denis Beauchemin, analyste
 /(_)\  Université de Sherbrooke, S.T.I.
  ^ ^   T: 819.821.8000x2252 F: 819.821.8045

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki ( and
the archives (

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list