Problem with AVG scanner - MailScanner does not recognize virus

Pavel Zichovsky zichovsky at trul.cz
Mon Jan 30 15:34:10 GMT 2006 

Hi there!

I am using Mailscanner (currently updated to beta 4.50.12) with two virus
scanners - AVG and Bitdefender.
It seems to me, that from certain update of AVG system MailScanner stoped
recognizing viruses identified by AVG.

I tested it by sending eicar to me.

Message was processed by MS and in /tmp dir I have found log from AVG
scanning:

avg log file (/tmp/log.avg.29936):
----------------------------------------------------------------------------
-
AVG  7.1 Anti-Virus
Copyright (c) GRISOFT,s.r.o. 2005
Program version 7.1.23  Engine: 718 database version 267.14.23/243
Command line: [-report /tmp/log.avg.29936 -arc -ext=* .]
"./k0UF45M29934/eicar.com"  Virus identified EICAR_Test


------------------------------------------------------------
Test start Mon Jan 30 16:04:15 2006

Elapsed time 0 sec.
------------------------------------------------------------
Scanned         files      :    3
Scanned         sectors    :    0
Infected        files      :    1
Infected        sectors    :    0
------------------------------------------------------------

Acording to this log, AVG detected eicar, but MS did not recognize that AVG
found virus.
Here are maillog entries for that batch:
-----------------------------------------------------------------------
Jan 30 16:04:13 server MailScanner[29912]: New Batch: Scanning 1 messages,
3946 bytes
Jan 30 16:04:13 server MailScanner[29912]: MCP Checks completed at 12453516
bytes per second
Jan 30 16:04:13 server MailScanner[29912]: Spam Checks: Starting
Jan 30 16:04:13 server MailScanner[29912]: SpamAssassin cache hit for
message k0UF45M29934
Jan 30 16:04:14 server MailScanner[29912]: Spam Checks completed at 17675
bytes per second
Jan 30 16:04:14 server MailScanner[29912]: Virus and Content Scanning:
Starting
Jan 30 16:04:18 server MailScanner[29912]: k0UF45M29934/eicar.com:infected:
EICAR-Test-File (not a virus)
Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Bitdefender found
1 infections
Jan 30 16:04:18 server MailScanner[29912]: Infected message k0UF45M29934
came from 69.20.55.130
Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Found 1 viruses
Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning completed at 891
bytes per second
Jan 30 16:04:18 server MailScanner[29912]: Saved entire message to
/home/data/mailscanner/quarantine/20060130/k0UF45M29934
Jan 30 16:04:18 server MailScanner[29912]: Saved infected "eicar.com" to
/home/data/mailscanner/quarantine/20060130/k0UF45M29934
Jan 30 16:04:18 server MailScanner[29912]: Viruses marked as silent:
Bitdefender: Found virus EICAR-Test-File (not a virus) in file eicar.com
Jan 30 16:04:18 server sendmail[29943]: k0UF4Ie29943:
from=postmaster at trul.cz, size=1447, class=0, nrcpts=1,
msgid=<200601301504.k0UF4Ie29943 at server.trul>, relay=root at localhost
Jan 30 16:04:18 server MailScanner[29912]: Notices: Warned about 1 messages
Jan 30 16:04:18 server MailScanner[29912]: Virus Processing completed at
22175 bytes per second
Jan 30 16:04:18 server MailScanner[29912]: Disinfection completed at
23212796 bytes per second
Jan 30 16:04:18 server MailScanner[29912]: Batch completed at 794 bytes per
second (3946 / 4)
Jan 30 16:04:18 server MailScanner[29912]: Batch processed in 4.97 seconds
Jan 30 16:04:18 server MailScanner[29912]: "Always Looked Up Last" took 0.00
seconds
----------------------------------------------------------------------------
---------

So if I am right, then MS reconizes that only Bitdefender found virus,
however AVG found that too (according to log).

I have run AVG via wrapper on whole quarantine dir and got this:
----------------------------------------------------------------------
[root at server quarantine]# /usr/lib/MailScanner/avg-wrapper /usr/local .
AVG7 Anti-Virus command line scanner
Copyright (c) 2005 GRISOFT, s.r.o.
Program version 7.1.23, engine 718
Virus Database: Version 267.14.23/243  2006-01-27
License type is FULL for SERVER.
Expiration day: 25. 10. 2007
./20060124/spam/k0O2Fbq19306  Virus found Worm/Feebs
./20060124/spam/k0OD9Cq01779  Virus found Worm/Feebs
./20060124/spam/k0ODACq01874  Virus found Worm/Feebs
./20060125/k0PAM9829845/eicar.com  Virus identified EICAR_Test
./20060125/k0PAM9829845/message  Virus identified EICAR_Test (+1)
./20060125/k0PAeen30411/eicar.com  Virus identified EICAR_Test
./20060125/k0PAeen30411/message  Virus identified EICAR_Test (+1)
./20060125/nonspam/k0PAM9829845  Virus identified EICAR_Test (+1)
./20060125/nonspam/k0PAeen30411  Virus identified EICAR_Test (+1)
./20060125/nonspam/k0PIOtn08366  Virus found Worm/Feebs
./20060125/spam/k0PA5cq29321  Virus found Worm/Feebs
./20060130/k0UEuSM29727/eicar.com  Virus identified EICAR_Test
./20060130/k0UEuSM29727/message  Virus identified EICAR_Test (+1)
./20060130/k0UF45M29934/eicar.com  Virus identified EICAR_Test
./20060130/k0UF45M29934/message  Virus identified EICAR_Test (+1)
./20060130/nonspam/k0UEuSM29727  Virus identified EICAR_Test (+1)
./20060130/nonspam/k0UF45M29934  Virus identified EICAR_Test (+1)
Tested: 2660 files, 0 sectors
Infections: 17
Errors: 0
------------------------------------------------------------------------

So I think that there is problem in parsing AVG output in MS.

And 1 more problem with avg-wrapper - it does not delete report files in
/tmp dir. Files are staying there until manualy deleted.

With regards
Pavel Zichovsky (zichovsky at trul)

More information about the MailScanner mailing list