Warning: MS log record format changes in 4.65.1 BETA

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Wed Oct 31 13:45:31 GMT 2007 

Julian

It appears that 4.65.1-1 changes the format of log records for ClamAV
Module. I suspect this will catch out log processing scripts.

In 4.62.9-2 and earlier I saw records similar to:

Oct 27 16:58:31 cheviot4 MailScanner[12044]: INFECTED::
MSRBL-Images/3-0-whep:: ./l9RFw72q032134/pills.gif 

Oct 27 17:10:20 cheviot4 MailScanner[3195]: INFECTED::
Email.Phishing.RB-1802:: ./l9RG9t87003928/

Oct 27 17:10:41 cheviot4 MailScanner[3215]: INFECTED::
Html.Phishing.Bank.Sanesecurity.06030707:: ./l9RGAQeq004535/

or going back a few months

Jun 11 12:12:59 cheviot4 MailScanner[28551]: ClamAVModule::INFECTED::
Worm.Mydoom.M:: ./l5BBChGt030131/ATTACHMENT.SCR
 
With 4.65.1-1 BETA, I now see the last few fields moved right one place
because the phrase "ClamAVModule::INFECTED::" is now split as in

Oct 31 11:37:06 cheviot2 MailScanner[9758]: ClamAV Module::INFECTED::
Phishing.Heuristics.Email.SpoofedDomain:: ./l9VBaefJ002190/

Oct 31 11:07:55 cheviot4 MailScanner[30204]: ClamAV Module::INFECTED::
Worm.Bagle.GV:: ./l9VB7b0K018893/latest_price31-Oct-2007.zip

Quentin


>-----Original Message-----
>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>bounces at lists.mailscanner.info] On Behalf Of Quentin Campbell
>Sent: 31 October 2007 11:29
>To: MailScanner discussion
>Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
>
>Gareth
>
>I have upgraded to MS BETA 4.65.1-1 one of the 2 hosts that were
>generating the "INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
>...." records.
>
>In place of the
>
>Oct 31 10:12:37 cheviot2 MailScanner[31346]: INFECTED::
>Phishing.Heuristics.Email.SpoofedDomain:: ./l9VACFW4011070/
>
>records I now get (although fewer of them so far)
>
>Oct 31 11:01:16 cheviot2 MailScanner[18379]: ClamAV Module::INFECTED::
>Phishing.Heuristics.Email.SpoofedDomain:: ./l9VB0vFK005532/
>
>records. I assume this means that I am getting far fewer false
positives
>now?
>
>Quentin
>
>>-----Original Message-----
>>From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>>bounces at lists.mailscanner.info] On Behalf Of Gareth
>>Sent: 31 October 2007 10:27
>>To: MailScanner discussion
>>Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain:: ....
>>
>>The fault is equivilent to scanning mail with the
>>--no-phishing-restrictedscan clamscan option. The update to
mailscanner
>>disabled this option as the author of the clamavmodule made an error
>and
>>had this option enabled as the default option.
>>
>>I am not 100% sure whether the mailscanner fix came out in 4.62 or
4.63
>>but I believe it was the latter.
>>
>>On Wed, 2007-10-31 at 10:11, Quentin Campbell wrote:
>>> Gareth
>>>
>>> If that is the problem is does not account for why I only see it on
2
>>> out of 8 otherwise identical MX hosts, all running with the same
>>version
>>> of MS, ClamAV-Module, ndb files in /usr/local/share/clamav, etc.
>>>
>>> I will install the latest BETA version of MS on one of the 2
machines
>>> and see what happens.
>>>
>>> Thanks
>>>
>>> Quentin
>>>
>>> >-----Original Message-----
>>> >From: mailscanner-bounces at lists.mailscanner.info
>[mailto:mailscanner-
>>> >bounces at lists.mailscanner.info] On Behalf Of Gareth
>>> >Sent: 31 October 2007 09:23
>>> >To: MailScanner discussion
>>> >Subject: RE: INFECTED:: Phishing.Heuristics.Email.SpoofedDomain::
>>....
>>> >
>>> >Its caused by a new feature in clamav with an incorrect default
>>> setting.
>>> >You need to either update MailScanner to include the new scanning
>>> option
>>> >or switch to clamd.
>>> >
>>> >On Wed, 2007-10-31 at 08:22, Quentin Campbell wrote:
>>> >> I am running eight mail gateways with MailScanner-4.62.9-2 using
>>> >'clamavmodule' (Mail-ClamAV-0.20 & ClamAV 0.91.2).
>>> >>
>>> >> However only seeing "INFECTED::
>>> >Phishing.Heuristics.Email.SpoofedDomain::" on two of them and many
>of
>>> >these look like false positives.
>>> >>
>>> >> Cannot see why only two systems doing this as all eight gateways
>>are
>>> >equal preference MX hosts for our domains and share the same type
of
>>> >mail traffic.
>>> >>
>>> >> Any pointers to where else I might look would be appreciated.
>>> >>
>>> >> Thanks
>>> >>
>>> >> Quentin
>>> >> ---
>>> >> PHONE: +44 191 222 8209    Information Systems and Services
(ISS),
>>> >>                            Newcastle University,
>>> >>                            Newcastle upon Tyne,
>>> >> FAX:   +44 191 222 8765    United Kingdom, NE1 7RU.
>>> >>
>>>
>----------------------------------------------------------------------
>>> >--
>>> >
>>> >--
>>> >MailScanner mailing list
>>> >mailscanner at lists.mailscanner.info
>>> >http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>> >
>>> >Before posting, read http://wiki.mailscanner.info/posting
>>> >
>>> >Support MailScanner development - buy the book off the website!
>>
>>--
>>MailScanner mailing list
>>mailscanner at lists.mailscanner.info
>>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>Before posting, read http://wiki.mailscanner.info/posting
>>
>>Support MailScanner development - buy the book off the website!
>--
>MailScanner mailing list
>mailscanner at lists.mailscanner.info
>http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>Before posting, read http://wiki.mailscanner.info/posting
>
>Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list