Mailscanner is not detecting eicar (Paul Lamb)
Paul Lamb
pal at mssl.ucl.ac.uk
Tue Jul 8 19:20:37 IST 2008
Steve Freegard wrote:
>Paul Lamb wrote:
>> MailScanner version 4.69.9 is not detecting the eicar test "virus".
>>
>> (This has not worked previously; I downloaded it a couple of weeks ago
>> but have only just configured it.)
>>
>> Eicar is forwarded whether included in the message text
>>
>> mail pal < /etc/mail/EICAR-TEST-FILE
>>
>> or as at attachment
>>
>> echo test | pine -attach /etc/mail/EICAR-TEST-FILE pal
>>
>> I have tested with eicar included in the parameter Non-Forging Viruses
>> and with it not included.
>>
>> Please note that MailScanner does detect and quarantine the virus
>> W32/MyDoom-O and Sophos sweep does detect eicar
>>
>> /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos EICAR-TEST-FILE
>> [snip]
>> >>> Virus 'EICAR-AV-Test' found in file EICAR-TEST-FILE
>>
>> Any suggestions would be appreciated.
>
>I'm not really sure when you say 'MailScanner' doesn't detect it;
>MailScanner is not a virus scanner itself - it runs external virus
>scanners and reports the results.
>
>The EICAR attachment you created will get detected as text/plain by the
>filetype checks (as it isn't an executable). If you name it .com/.exe
>etc. then the filename checks will trigger. MailScanner doesn't
>specifically look for the EICAR sting.
>
>So what you are seeing isn't a problem.
>
>Kind regards,
>Steve
Steve,
My first sentence was imprecise but I do have a problem.
The system has the Sophos sweep AV software installed.
Sweep _does_ detect EICAR.
When MailScanner invokes sweep, sweep does _not_ detect EICAR or. if it
does, this is not correctly handled by MailScanner. (However,
MailScanner + sweep _does_ detect at least one real virus.)
Regards,
Paul
More information about the MailScanner
mailing list