virus detection reporting wrong scanner
MailScanner at ecs.soton.ac.uk
Sun Aug 31 14:10:32 IST 2008
Please try this with the latest beta (4.71.9) and let me know if it
Paul Hutchings wrote:
> I'm using clamd, avg and vba32.
> In maillog, I see the following:
> Aug 31 02:11:56 relay MailScanner: Virus Scanning: vba32 found 1
> Aug 31 02:11:56 relay MailScanner: Infected message
> C5B321FC55.019F5 came from 18.104.22.168
> Aug 31 02:11:56 relay MailScanner: Virus Scanning: Found 1
> Aug 31 02:11:56 relay MailScanner: Virus Scanning completed at
> 1731 bytes per second
> In the report I see this:
> The following e-mails were found to have: Virus Detected
> Sender: skatemurcia.com at llgc793.servidoresdns.net
> IP Address: 22.214.171.124
> Recipient: someone at ourdomain.com
> Subject: Security Message - Important System Notification.
> MessageID: C5B321FC55.019F5
> Report: Clamd: msg-22637-48.html was infected:
> Any suggestions? I know last week I had to modify one of the
> MailScanner files to deal with the way that vba32 output changed since
> the last MailScanner release.
> Lint output:
> Trying to setlogsock(unix)
> Read 850 hostnames from the phishing whitelist
> Read 5262 hostnames from the phishing blacklist
> Checking version numbers...
> Version number in MailScanner.conf (4.70.7) is correct.
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to (89)
> MailScanner setting UID to (89)
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temporary working directory is
> SpamAssassin temp dir =
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> I have found clamd avg vba32 scanners installed, and will use them all
> by default.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamd, vba32, avg
> Virus and Content Scanning: Starting
> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 1 infections
> Avg: Virus identified EICAR_Test in eicar.com
> Virus Scanning: Avg found 1 infections
> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
> Virus Scanning: vba32 found 1 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 1 viruses
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
> Avg said "Found virus EICAR_Test in file eicar.com"
> vba32 said "Found virus EICAR-Test-File in eicar.com"
> If any of your virus scanners (clamd,vba32,avg)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its
Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner