Virus Scanning Misreporting ?

Dalimil Gala konve at logout.cz
Tue Nov 27 12:38:13 GMT 2007 

UxBoD wrote:
> Hi,
>
> We run clamav for our virus scanning but have been testing nod32 aswell.  Just noticed in our logfiles this :-
>
> Nov 27 06:03:51 bianchi MailScanner[23803]: Virus and Content Scanning: Starting
> Nov 27 06:03:51 bianchi clamd[31077]: /var/spool/MailScanner/incoming/23803/10B1D7CF74A.AAFF8.message: Email.Phishing.RB-2033 FOUND
> Nov 27 06:03:51 bianchi clamd[31077]: /var/spool/MailScanner/incoming/23803/10B1D7CF74A.AAFF8/msg-23803-3.html: Email.Phishing.RB-2033 FOUND
> Nov 27 06:03:51 bianchi MailScanner[23803]: Clamd::INFECTED:: Email.Phishing.RB-2033 FOUND :: ./10B1D7CF74A.AAFF8/
> Nov 27 06:03:51 bianchi MailScanner[23803]: Clamd::INFECTED:: Email.Phishing.RB-2033 FOUND :: ./10B1D7CF74A.AAFF8/msg-23803-3.html
> Nov 27 06:03:51 bianchi MailScanner[23803]: Virus Scanning: Clamd found 2 infections
> Nov 27 06:03:53 bianchi MailScanner[23803]: Virus Scanning: Nod32 found 2 infections
> Nov 27 06:03:53 bianchi MailScanner[23803]: Infected message 10B1D7CF74A.AAFF8 came from 79.176.158.147
> Nov 27 06:03:53 bianchi MailScanner[23803]: Virus Scanning: Found 2 viruses
> Nov 27 06:03:53 bianchi MailScanner[23803]: Logging message 10B1D7CF74A.AAFF8 to SQL
>
> Yet nod32 has not actually detected anything, because the detection is from the SaneSecurity database.  Is this the expected behaviour ?
>
>
> Regards,
>
> --[ UxBoD ]--
> // PGP Key: "curl -s https://www.splatnix.net/uxbod.asc | gpg --import"
> // Fingerprint: C759 8F52 1D17 B3C5 5854  36BD 1FB1 B02F 5DB5 687B
> // Keyserver: www.keyserver.net Key-ID: 0x5DB5687B
> // Phone: +44 845 869 2749 SIP Phone: uxbod at sip.splatnix.net
>
>   

Hi,

I think there is a line missing in 
/opt/MailScanner/lib/MailScanner/SweepViruses.pm, see at the bottom.

(Anyway it was correct in MailWatch, I could see reports from both Nod32 
and Clamd in MailWatch web interface:
Report:    Nod32: Found virus Eicar test file in msg-22437-11.txt Clamd: 
msg-22437-11.txt was infected: Eicar-Test-Signature FOUND)

/var/log/mail.log before changes applied:
Nov 27 13:10:34 mail5 MailScanner[22437]: Virus and Content Scanning: 
Starting
Nov 27 13:10:36 mail5 MailScanner[22437]: Virus Scanning: Nod32 found 1 
infections
Nov 27 13:10:36 mail5 MailScanner[22437]: INFECTED:: 
Eicar-Test-Signature FOUND :: ./lARCAWK0022737/msg-22437-11.txt
Nov 27 13:10:36 mail5 MailScanner[22437]: Virus Scanning: Clamd found 1 
infections
Nov 27 13:10:36 mail5 MailScanner[22437]: Infected message 
lARCAWK0022737 came from 127.0.0.1
Nov 27 13:10:36 mail5 MailScanner[22437]: Virus Scanning: Found 1 viruses

after:
Nov 27 13:34:45 mail5 MailScanner[24588]: Virus and Content Scanning: 
Starting
Nov 27 13:34:46 mail5 MailScanner[24588]: Nod32: Found virus Eicar test 
file in msg-24588-1.txt
Nov 27 13:34:46 mail5 MailScanner[24588]: Virus Scanning: Nod32 found 1 
infections
Nov 27 13:34:47 mail5 MailScanner[24588]: INFECTED:: 
Eicar-Test-Signature FOUND :: ./lARCYebM024610/msg-24588-1.txt
Nov 27 13:34:47 mail5 MailScanner[24588]: Virus Scanning: Clamd found 1 
infections
Nov 27 13:34:47 mail5 MailScanner[24588]: Infected message 
lARCYebM024610 came from 127.0.0.1
Nov 27 13:34:47 mail5 MailScanner[24588]: Virus Scanning: Found 1 viruses



diff for /MailScanner-4.62.3

--- SweepViruses.pm.orig        2007-07-06 15:35:43.000000000 +0200
+++ SweepViruses.pm.071127      2007-11-27 13:27:29.000000000 +0100
@@ -2110,6 +2110,7 @@
     $report = "Found virus $virusname in $part";
     $report = $Name . ': '. $report if $Name;
     $infections->{"$id"}{"$part"} .= $report . "\n";
+    MailScanner::Log::InfoLog("%s", $report);
     $types->{"$id"}{"$part"} .= "v"; # it's a real virus
     return 1;
   }


Dalimil Gala

More information about the MailScanner mailing list