Problem with ClamAVModule
Denis Beauchemin
Denis.Beauchemin at USHERBROOKE.CA
Thu Oct 27 19:12:37 IST 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Denis Beauchemin wrote:
> Julian Field wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> On 27 Oct 2005, at 14:01, John Wilcock wrote:
>>
>>
>>
>>> Denis Beauchemin wrote:
>>>
>>>
>>>
>>>> John Wilcock wrote:
>>>>
>>>>
>>>>
>>>>> Looks like your clamav is using a French locale, whereas
>>>>> MailScanner is no doubt looking for clam's standard English
>>>>> messages...
>>>>>
>>>>>
>>>>>
>>>>
>>>> ClamAV's message is in English:
>>>> Oct 26 15:07:08 132.210.244.90 MailScanner[28920]:
>>>> ClamAVModule::INFECTED:: HTML.Phishing.Bank-1:: ./j9QJ6iY3027535/
>>>> msg-28920-1410.html
>>>> I agree that MS runs with French locale but it doesn't cause any
>>>> problem with McAfee or Bitdefender. Why would it act this way
>>>> with ClamAV?
>>>>
>>>>
>>>
>>> Sorry, I had a vague recollection of problems parsing certain virus
>>> scanner output with the system locale set to French, but on closer
>>> inspection I think I was barking up the wrong tree there.
>>>
>>
>>
>> When using either of the module-based virus scanners, the output you
>> are seeing from Clam is actually generated by MailScanner itself,
>> and there is no provision for translation of the syntax of these
>> lines. So, though it might be a problem when using "clamav", the
>> locale does not affect "clamavmodule" or "sophossavi".
>>
>>
>
> Julian,
>
> Then how could we explain the fact that MS logged an infected file but
> sent it anyways to the user? Do I have something amiss in my config?
>
> Denis
>
Julian,
I may have been fooled by MS' messages... I think MS did the right
thing (not deliver the message) because I have no sendmail entry in my
maillog with stat=sent... for that message ID; just the stat=queued as
seen in the next example (dates and times omitted to help ligibility):
sendmail[1259]: j9RA07iO001259: from=<Unterstutzung23 at vr-networld.de>,
size=29433, class=0, nrcpts=1,
msgid=<001a01c5dadd$3a4c2ae8$a24dfea9 at jlbt-qjhfa1lk9x>, proto=SMTP,
daemon=MTA, relay=[222.216.100.89]
sendmail[1259]: j9RA07iO001259: to=<user>, delay=00:00:23, mailer=relay,
pri=59433, stat=queued
MailScanner[1586]: New Batch: Scanning 2 messages, 14615113 bytes
MailScanner[1586]: Spam Checks: Starting
MailScanner[1586]: Message j9RA07iO001259 from 222.216.100.89
(unterstutzung23 at vr-networld.de) to physique.usherb.ca is est un
polluriel, SpamAssassin (score=15.839, requis 5, BAYES_99 3.50,
DCC_CHECK 2.17, HTML_90_100 0.02, HTML_FONT_LOW_CONTRAST 0.79,
HTML_IMAGE_ONLY_08 3.04, HTML_MESSAGE 0.00, INVALID_DATE 0.24,
J_CHICKENPOX_22 0.60, MIME_QP_LONG_LINE 0.04, NORMAL_HTTP_TO_IP 4.00,
SUBJ_HAS_UNIQ_ID 1.34, WEIRD_PORT 0.11)
MailScanner[1586]: Spam Checks: Found 1 spam messages
MailScanner[1586]: Spam Actions: message j9RA07iO001259 actions are
attachment,deliver
MailScanner[1586]: Virus and Content Scanning: Starting
MailScanner[1586]: ClamAVModule::INFECTED:: HTML.Phishing.Bank-1::
./j9RA07iO001259/msg-1586-250.html
MailScanner[1586]: Virus Scanning: ClamAV Module found 1 infections
MailScanner[1586]: Infected message j9RA07iO001259 came from 222.216.100.89
MailScanner[1586]: Virus Scanning: Found 1 viruses
MailScanner[1586]: <A> tag found in message j9RA07iO001259 from
unterstutzung23 at vr-networld.de
MailScanner[1586]: Found ip-based phishing fraud from
202.164.185.98:8081 in j9RA07iO001259
MailScanner[1586]: Found ip-based phishing fraud from
202.164.185.98:8081 in j9RA07iO001259
MailScanner[1586]: Content Checks: Detected and have disarmed phishing
tags in HTML message in j9RA07iO001259 from unterstutzung23 at vr-networld.de
MailScanner[1586]: Viruses marked as silent: ClamAV Module:
msg-1586-250.html was infected: HTML.Phishing.Bank-1
MailScanner[1586]: Uninfected: Delivered 1 messages
Denis
--
_
°v° Denis Beauchemin, analyste
/(_)\ Université de Sherbrooke, S.T.I.
^ ^ T: 819.821.8000x2252 F: 819.821.8045
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list