Mailscanner is not detecting eicar (Paul Lamb)

Scott Silva ssilva at sgvwater.com
Wed Jul 9 00:43:25 IST 2008 

on 7-8-2008 11:20 AM Paul Lamb spake the following:
> Steve Freegard wrote:
> 
>> Paul Lamb wrote:
>>> MailScanner version 4.69.9 is not detecting the eicar test "virus".
>>>
>>> (This has not worked previously; I downloaded it a couple of weeks ago 
>>> but have only just configured it.)
>>>
>>> Eicar is forwarded whether included in the message text
>>>
>>>    mail pal < /etc/mail/EICAR-TEST-FILE
>>>
>>> or as at attachment
>>>    
>>>    echo test | pine -attach /etc/mail/EICAR-TEST-FILE pal
>>>
>>> I have tested with eicar included in the parameter Non-Forging Viruses 
>>> and with it not included.
>>>
>>> Please note that MailScanner does detect and quarantine the virus 
>>> W32/MyDoom-O and Sophos sweep does detect eicar
>>>
>>>    /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos EICAR-TEST-FILE 
>>>    [snip]
>>>    >>> Virus 'EICAR-AV-Test' found in file EICAR-TEST-FILE
>>>  
>>> Any suggestions would be appreciated.
>> I'm not really sure when you say 'MailScanner' doesn't detect it; 
>> MailScanner is not a virus scanner itself - it runs external virus 
>> scanners and reports the results.
>>
>> The EICAR attachment you created will get detected as text/plain by the 
>> filetype checks (as it isn't an executable).  If you name it .com/.exe 
>> etc. then the filename checks will trigger.  MailScanner doesn't 
>> specifically look for the EICAR sting.
>>
>> So what you are seeing isn't a problem.
>>
>> Kind regards,
>> Steve
> 
> 
> Steve, 
> 
> My first sentence was imprecise but I do have a problem.
> 
> The system has the Sophos sweep AV software installed.
> 
> Sweep _does_ detect EICAR.
> 
> When MailScanner invokes sweep, sweep does _not_ detect EICAR or. if it
> does, this is not correctly handled by MailScanner. (However, 
> MailScanner + sweep _does_ detect at least one real virus.)
> 
> Regards,
> Paul
I would install clamav as a backup until you get this sorted out. If it is not 
hitting on eicar, it might miss some other virus. While you are working on the 
problem, who knows what might get through.

Just my 2c, which is more than clamav will cost you!




-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080708/3b4c0551/signature.bin

More information about the MailScanner mailing list