MailScanner is ignoring some ClamAV 'viruses' from NDB signature databases

Glenn Steen glenn.steen at gmail.com
Tue Feb 20 10:40:31 CET 2007


On 20/02/07, Quentin Campbell <Q.G.Campbell at newcastle.ac.uk> wrote:
> I recently started using some of the extra .NDB/.HDB signature databases
> for ClamAV from Sanesecurity - http://www.sanesecurity.com/clamav/.
>
> In some cases MailScanner is recognising a 'virus' detected by these but
> is still delivering the message rather than dropping it silently. All
> the log entries for messages behaving this way appear to have a
> corrupted path name in the virus "FOUND" log record from MailScanner:
>
> Feb 20 08:00:07 cheviot1 MailScanner[26921]:
> /var/spool/MailScanner/incoming/26921/./l1K7xWrE017195.header:
> Email.Spam.Gen103.Sanesecurity.07011703 FOUND
>
> [the faulty part above is "/l1K7xWrE017195.header:"]
>
I'm not entirely sure, but this looks like it erroneously is detecting
the MailScanner generated file containing the message headers for that
message ID. So that would be a false positive of sorts. Does it also
find the actual message to contain a "virus"?

-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list