UNKNOWN CLAMD RETURN

UxBoD uxbod at splatnix.net
Thu Jul 19 12:57:10 IST 2007 

I have tried changing the code in SweepViruses.pm too :-

      my $slashes = ($results =~ tr/\//\//);
      my ($dot,$childname,$filename,$rest) = split('/',$results);
      my ($dot,$filename,$rest) = split('/',$results) if ($slashes < 3);

which now writes out to maillog as the file being INFECTED :-


Jul 19 07:45:54 bianchi MailScanner[7833]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./BDCDD7CF27A.49D6B.header/BDCDD7CF27A.49D6B.header 
Jul 19 07:46:59 bianchi MailScanner[7601]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./AC0FB7CF27A.96473.header/AC0FB7CF27A.96473.header 
Jul 19 07:46:59 bianchi MailScanner[7608]: INFECTED:: Email.Spam.Gen595.Sanesecurity.07052401 FOUND :: ./100DE7CEF53.AD8E0.header/100DE7CEF53.AD8E0.header 
Jul 19 07:47:17 bianchi MailScanner[7669]: INFECTED:: Email.Hdr.Sanesecurity.07012400 FOUND :: ./7F1647CF285.8D628.header/7F1647CF285.8D628.header 
Jul 19 07:47:33 bianchi MailScanner[7760]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./392767CEBF5.89DDE.header/392767CEBF5.89DDE.header 
Jul 19 07:48:32 bianchi MailScanner[7781]: INFECTED:: Email.Scam4.Gen824.Sanesecurity.07051409 FOUND :: ./6A4BF7CECA4.1C3E3.header/6A4BF7CECA4.1C3E3.header 

but for some reason it does not mark it as a Virus in MailWatch :(

----- Original Message -----
From: "UxBoD" <uxbod at splatnix.net>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, July 19, 2007 12:35:33 PM (GMT) Europe/London
Subject: Re: UNKNOWN CLAMD RETURN

Rick,

Here is the output :-

[root at bianchi tmp]# clamscan /tmp/eicar.com 
/tmp/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Known viruses: 154131
Engine version: 0.91.1
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Time: 1.491 sec (0 m 1 s)
[root at bianchi tmp]# clamdscan /tmp/eicar.com 
/tmp/eicar.com: Eicar-Test-Signature FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.000 sec (0 m 0 s)

But as it is the header then that is probably why it is not giving a filename that has been scanned.
----- Original Message -----
From: "Rick Cooper" <rcooper at dwford.com>
To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
Sent: Thursday, July 19, 2007 12:27:04 PM (GMT) Europe/London
Subject: RE: UNKNOWN CLAMD RETURN

 

 > -----Original Message-----
 > From: mailscanner-bounces at lists.mailscanner.info 
 > [mailto:mailscanner-bounces at lists.mailscanner.info] On 
 > Behalf Of UxBoD
 > Sent: Thursday, July 19, 2007 6:18 AM
 > To: MailScanner discussion
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > Sorry here is what versions running :-
 > 
 > MailScanner 4.62.3 (RPM)
 > ClamAV 0.91/3697/Wed Jul 18 20:18:47 2007 (RPM)
 > 
 > Cheers,
 > ----- Original Message -----
 > From: "UxBoD" <uxbod at splatnix.net>
 > To: "MailScanner discussion" <mailscanner at lists.mailscanner.info>
 > Sent: Thursday, July 19, 2007 11:12:51 AM (GMT) Europe/London
 > Subject: Re: UNKNOWN CLAMD RETURN
 > 
 > I have added a couple of extra debug lines to SweepViruses.pm :-
 > 
 > print "ERROR:: UNKNOWN CLAMD RETURN $results :: $ScanDir\n";
 > print "ERROR2:: $rest\n";
 > print "ERROR3:: $results\n";
 > 
 > and get the following :-
 > 
 > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR2::  
 > Jul 19 06:05:08 bianchi MailScanner[11482]: ERROR3:: 
 > ./9F1F37CF28F.C25E5.header/Email.Hdr.Sanesecurity.07061900 FOUND 
 > 
[...]

That line is really formated wrong, the filename is missing from the output.
Should be something like
./1IBU5l-0003RA-Ru/eicar.com/Eicar-Test-Signature FOUND
^        ^             ^             ^
Dot      Child         File          rest

Could you scan an eicar test file from the command line with clamdscan and
see how the output looks?

Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list