virus detection reporting wrong scanner
Julian Field
MailScanner at ecs.soton.ac.uk
Sun Aug 31 14:10:32 IST 2008
Please try this with the latest beta (4.71.9) and let me know if it
still recurs.
Paul Hutchings wrote:
> I'm using clamd, avg and vba32.
>
> In maillog, I see the following:
>
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found 1
> infections
> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
> C5B321FC55.019F5 came from 217.76.130.123
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
> viruses
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
> 1731 bytes per second
>
> In the report I see this:
>
> The following e-mails were found to have: Virus Detected
>
> Sender: skatemurcia.com at llgc793.servidoresdns.net
> IP Address: 217.76.130.123
> Recipient: someone at ourdomain.com
> Subject: Security Message - Important System Notification.
> MessageID: C5B321FC55.019F5
> Quarantine:
> Report: Clamd: msg-22637-48.html was infected:
> HTML.Phishing.Bank-1248
>
> Any suggestions? I know last week I had to modify one of the
> MailScanner files to deal with the way that vba32 output changed since
> the last MailScanner release.
>
> Lint output:
>
> Trying to setlogsock(unix)
> Read 850 hostnames from the phishing whitelist
> Read 5262 hostnames from the phishing blacklist
> Checking version numbers...
> Version number in MailScanner.conf (4.70.7) is correct.
>
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to (89)
> MailScanner setting UID to (89)
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temporary working directory is
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> I have found clamd avg vba32 scanners installed, and will use them all
> by default.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamd, vba32, avg
> ========================================================================
> ===
> Virus and Content Scanning: Starting
> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 1 infections
> Avg: Virus identified EICAR_Test in eicar.com
> Virus Scanning: Avg found 1 infections
> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
> EICAR-Test-File
> Virus Scanning: vba32 found 1 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 1 viruses
> ========================================================================
> ===
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
> Avg said "Found virus EICAR_Test in file eicar.com"
> vba32 said "Found virus EICAR-Test-File in eicar.com"
>
> If any of your virus scanners (clamd,vba32,avg)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its
> virus.scanners.conf.
>
> Cheers,
> Paul
>
>
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list