MailScanner, ClamAV, and Sanesecurity

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 27 15:43:55 IST 2007 


Ryan Weaver wrote:
> Ryan Weaver Wrote on Monday, June 11, 2007 11:42 AM
>   
>> Chris Stone Wrote on Thursday, June 07, 2007 5:36 PM
>>     
>>> On Thu, 2007-06-07 at 12:17 -0500, Ryan Weaver wrote:
>>>       
>>>> I've started using the Sanesecurity signatures that have been
>>>>         
> mentioned on
>   
>>>> the list. I also use Vispan for its reporting and blocking features.
>>>>
>>>> The problem I have run into is that in the maillog, when the
>>>>         
> Sanesecurity
>   
>>>> signatures are matched the following is the output:
>>>>
>>>> Jun  7 12:07:30 c01 MailScanner[7634]: Infected message
>>>> l57H05nK007460.header came from  
>>>> Jun  7 12:07:30 c01 MailScanner[7634]: Infected message
>>>> l57H19sG007620.header came from  
>>>>         
>>> Not picked up by MailWatch.pm and shown as viruses in MailWatch either.
>>> I only note it though for the Email.Hdr.Sanesecurity* signatures - all
>>> the rest report just fine, just not these - e.g.:
>>>
>>> Jun  7 16:32:49 smtp1 MailScanner[5919]:
>>>       
> /var/spool/MailScanner/incoming/5919/./l57MWISF012136.header:
> Email.Hdr.Sanesecurity.07012400 FOUND
>   
>>> Jun  7 16:32:50 smtp1 MailScanner[5919]: Virus Scanning: ClamAV found 1
>>>       
> infections
>   
>>> Jun  7 16:32:51 smtp1 MailScanner[5919]: Infected message
>>>       
> l57MWISF012136.header came from
>   
>>> Jun  7 16:32:51 smtp1 MailScanner[5919]: Virus Scanning: Found 1 viruses
>>> Jun  7 16:32:51 smtp1 MailScanner[5919]: Logging message l57MWISF012136
>>>       
> to SQL
>   
>>> Jun  7 16:32:51 smtp1 MailScanner[6700]: l57MWISF012136: Logged to
>>>       
> MailWatch SQL
>   
>>> And even though MailWatch is logged as adding to SQL, when I look in the
>>> database table, the message is not logged.......
>>>       
>> Anyone have any ideas about this ??
>>
>> Thanks,
>> Ryan
>>     
>
> Any movement on this front?
>   
You may find this is fixed in the next beta, I have changed quite a lot 
of the clamav "infection" detection, so that the sanesecurity signatures 
can work reliably.
> Thanks,
> Ryan
>
>   

Jules

-- 
Julian Field MEng CITP
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
For all your IT requirements visit www.transtec.co.uk

More information about the MailScanner mailing list