MailScanner --lint doesn't check Eicar virus - OK here!

Randal, Phil prandal at herefordshire.gov.uk
Thu Dec 6 18:18:22 GMT 2007


I've finally tracked this down:
 
yumming from the rpmforge repo had updated perl-MIME-Tools to version
5.424.
 
Downgrading to 5.420 made things work:
 
# MailScanner --lint
Trying to setlogsock(unix)
Checking version numbers...
Version number in MailScanner.conf (4.66.2) is correct.
 
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
 
Checking for SpamAssassin errors (if you use it)...
SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin reported no errors.
MailScanner.conf says "Virus Scanners = clamavmodule mcafee"
Found these virus scanners installed: clamavmodule, mcafee
========================================================================
===
========================================================================
===
 
If any of your virus scanners (clamavmodule,mcafee)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.
[root at mx1 src]# rpm -Uvh perl-MIME-tools-5.420-2.el5.rf.noarch.rpm
--force
Preparing...                ###########################################
[100%]
   1:perl-MIME-tools        ###########################################
[100%]
[root at mx1 src]# MailScanner --lint
Trying to setlogsock(unix)
Checking version numbers...
Version number in MailScanner.conf (4.66.2) is correct.
 
Your envelope_sender_header in spam.assassin.prefs.conf is correct.
 
Checking for SpamAssassin errors (if you use it)...
SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin reported no errors.
MailScanner.conf says "Virus Scanners = clamavmodule mcafee"
Found these virus scanners installed: clamavmodule, mcafee
========================================================================
===
========================================================================
===
Virus Scanner test reports:
ClamAVModule said "eicar.com was infected: Eicar-Test-Signature"
McAfee said "/1/eicar.com        Found: EICAR test file NOT a virus."
 
If any of your virus scanners (clamavmodule,mcafee)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.

This might have had other side-effects other than the antivirus lint.
 
Cheers,
 
Phil
--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK 
 


________________________________

	From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Randal,
Phil
	Sent: 29 November 2007 13:58
	To: MailScanner discussion
	Subject: RE: MailScanner --lint doesn't check Eicar virus - OK
here!
	
	
	Michael,
	 
	Which version of RedHat are you running?
	 
	I see the problem on CentOS 5.0.
	 
	It may a side effect of force-installing the perl update.
	 
	It would be nice to know what's actually happening and what the
fix is, though.  I'm not a perl guru so it's beyond me.
	 
	Cheers,
	 
	Phil
	--
	Phil Randal
	Network Engineer
	Herefordshire Council
	Hereford, UK 
	 


________________________________

		From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Michael
Mansour
		Sent: 29 November 2007 06:13
		To: MailScanner discussion
		Subject: RE: MailScanner --lint doesn't check Eicar
virus - OK here!
		
		
		Hi Quentin,
		
		Quentin Campbell <Q.G.Campbell at newcastle.ac.uk> wrote: 

			Phil
			
			It appears to work here. I get a different
result to you:
			

		This is very strange then. 
		
		This begs the question, in what cases does this --lint
fail with the Eicar virus check?
		
		I'm pretty sure I saw the test pass with Eicar in there
when I upgraded to MailScanner 4.65.3 (not certain but pretty sure), but
only recently noticed that Eicar was no longer there. This may have
happened after some perl errata upgrades on Linux recently released by
Red Hat.
		
		I'm just interested to know now that if this is the
case, then was would cause that symptom and is it causing other problems
I can't see?
		
		Michael.
		

			[root at cheviot4 MailScanner]# MailScanner --lint
			Checking version numbers...
			Version number in MailScanner.conf (4.65.3) is
correct.
			
			Your envelope_sender_header in
spam.assassin.prefs.conf is correct.
			
			Checking for SpamAssassin errors (if you use
it)...
			SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
			SpamAssassin reported no errors.
			MailScanner.conf says "Virus Scanners =
clamavmodule mcafee"
			Found these virus scanners installed:
clamavmodule, mcafee
	
========================================================================
===
	
========================================================================
===
			Virus Scanner test reports:
			ClamAVModule said "eicar.com was infected:
Eicar-Test-Signature"
			McAfee said "/1/eicar.com Found: EICAR test file
NOT a virus."
			
			If any of your virus scanners
(clamavmodule,mcafee)
			are not listed there, you should check that they
are installed correctly
			and that MailScanner is finding them correctly
via its virus.scanners.conf.
			[root at cheviot4 MailScanner]#
			
			Quentin 
			---
			PHONE: +44 191 222 8209    Information Systems
and Services (ISS),
			                           Newcastle University,
			                           Newcastle upon Tyne,
			FAX:   +44 191 222 8765    United Kingdom, NE1
7RU.
	
------------------------------------------------------------------------
			
			
			
			
			
			>-----Original Message-----
			>From:
mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
			>bounces at lists.mailscanner.info] On Behalf Of
Randal, Phil
			>Sent: 28 November 2007 14:10
			>To: MailScanner discussion
			>Subject: RE: MailScanner --lint doesn't check
Eicar virus
			>
			>Well spotted!
			>
			>Confirming that it is broken in 4.65.3
			>
			># MailScanner --lint
			>Checking version numbers...
			>Version number in MailScanner.conf (4.65.3) is
correct.
			>
			>Your envelope_sender_header in
spam.assassin.prefs.conf is correct.
			>
			>Checking for SpamAssassin errors (if you use
it)...
			>SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-
			>Temp
			>SpamAssassin reported no errors.
			>MailScanner.conf says "Virus Scanners =
clamavmodule mcafee"
			>Found these virus scanners installed:
clamavmodule, mcafee
	
>=======================================================================
=
			>===
	
>=======================================================================
=
			>===
			>
			>If any of your virus scanners
(clamavmodule,mcafee)
			>are not listed there, you should check that
they are installed correctly
			>and that MailScanner is finding them correctly
via its
			>virus.scanners.conf.
			>
			>Cheers,
			>
			>Phil
			>
			>--
			>Phil Randal
			>Network Engineer
			>Herefordshire Council
			>Hereford, UK
			>
			>
			>
			>
			>
			>________________________________
			>
			> From:
mailscanner-bounces at lists.mailscanner.info
	
>[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Michael
			>Mansour
			> Sent: 28 November 2007 14:03
			> To: MailScanner discussion
			> Subject: MailScanner --lint doesn't check
Eicar virus
			>
			>
			> Hi,
			>
			> I used to be able to run:
			>
			> # MailScanner --lint
			> Checking version numbers...
			> Version number in MailScanner.conf (4.65.3) is
correct.
			>
			> Your envelope_sender_header in
spam.assassin.prefs.conf is
			>correct.
			>
			> Checking for SpamAssassin errors (if you use
it)...
			> SpamAssassin temp dir = /tmp/SpamAssassin-Temp
			> SpamAssassin reported no errors.
			> MailScanner.conf says "Virus Scanners =
clamavmodule"
			> Found these virus scanners installed:
clamavmodule
			>
==================================================================
			>=========
			>
==================================================================
			>=========
			>
			> If any of your virus scanners (clamavmodule)
			> are not listed there, you should check that
they are installed
			>correctly
			> and that MailScanner is finding them correctly
via its
			>virus.scanners.conf.
			>
			> and see MailScanner test the Eicar virus
between the "===" rows,
			>but most recently I see this doesn't work
anymore.
			>
			> Is there something I can check to see why?
			>
			> When I run the wrapper:
			>
			> /usr/lib/MailScanner/clamav-wrapper /usr /tmp
			>
			> it finds clamav and works scans /tmp fine.
			>
			> Thanks.
			>
			> Michael.
			>
			>
			>
			>
			>________________________________
			>
			> Make the switch to the world's best email. Get
the new Yahoo!7
			>Mail now
			>
			>u.yahoo.com/worldsbestmail/spankey/> .
			
			--
			MailScanner mailing list
			mailscanner at lists.mailscanner.info
	
http://lists.mailscanner.info/mailman/listinfo/mailscanner
			
			Before posting, read
http://wiki.mailscanner.info/posting
			
			Support MailScanner development - buy the book
off the website!
			


		
________________________________

		Make the switch to the world's best email. Get the new
Yahoo!7 Mail now
<http://au.rd.yahoo.com/mail/taglines/default_all/mail/spankey/*http://a
u.yahoo.com/worldsbestmail/spankey/> . 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20071206/ae590724/attachment.html


More information about the MailScanner mailing list