virus detection reporting wrong scanner

Paul Hutchings paul.hutchings at mira.co.uk
Sun Aug 31 11:16:47 IST 2008 

I'm using clamd, avg and vba32.

In maillog, I see the following:

Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1
infections
Aug 31 02:11:56 relay MailScanner[22637]: Infected message
C5B321FC55.019F5 came from 217.76.130.123
Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
viruses
Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
1731 bytes per second

In the report I see this:

The following e-mails were found to have: Virus Detected

    Sender: skatemurcia.com at llgc793.servidoresdns.net
IP Address: 217.76.130.123
 Recipient: someone at ourdomain.com
   Subject: Security Message - Important System Notification.
 MessageID: C5B321FC55.019F5
Quarantine: 
    Report: Clamd: msg-22637-48.html was infected:
HTML.Phishing.Bank-1248 

Any suggestions?  I know last week I had to modify one of the
MailScanner files to deal with the way that vba32 output changed since
the last MailScanner release.

Lint output:

Trying to setlogsock(unix)
Read 850 hostnames from the phishing whitelist
Read 5262 hostnames from the phishing blacklist
Checking version numbers...
Version number in MailScanner.conf (4.70.7) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to  (89)
MailScanner setting UID to  (89)

Checking for SpamAssassin errors (if you use it)...
SpamAssassin temporary working directory is
/var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin temp dir =
/var/spool/MailScanner/incoming/SpamAssassin-Temp
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
I have found clamd avg vba32 scanners installed, and will use them all
by default.
Using locktype = posix
MailScanner.conf says "Virus Scanners = auto"
Found these virus scanners installed: clamd, vba32, avg
========================================================================
===
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
Avg: Virus identified EICAR_Test in eicar.com
Virus Scanning: Avg found 1 infections
/var/spool/MailScanner/incoming/23308/1/eicar.com : infected
EICAR-Test-File
Virus Scanning: vba32 found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
========================================================================
===
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Avg said "Found virus EICAR_Test in file eicar.com"
vba32 said "Found virus EICAR-Test-File in eicar.com"

If any of your virus scanners (clamd,vba32,avg)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.

Cheers,
Paul


-- 
MIRA Ltd

Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.

Registered in England and Wales No. 402570
VAT Registration  GB 114 5409 96

The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.

More information about the MailScanner mailing list