Mailscanner is not detecting eicar

Paul Lamb pal at mssl.ucl.ac.uk
Thu Jul 10 15:40:42 IST 2008 

Anthony Peacock wrote

 >Paul Lamb wrote:
 >> MailScanner version 4.69.9 is not detecting the eicar test "virus".
 >>
 >> (This has not worked previously;I downloaded it a couple of weeks ago
 >> but have only just configured it.)
 >>
 >> Eicar is forwarded whether included in the message text
 >>
 >>    mail pal < /etc/mail/EICAR-TEST-FILE
 >>
 >> or as at attachment
 >>
 >>    echo test | pine -attach /etc/mail/EICAR-TEST-FILE pal
 >>
 >>I have tested with eicar included in the parameter Non-Forging Viruses
 >> and with it not included.
 >>
 >> Please note that MailScanner does detect and quarantine the virus
 >> W32/MyDoom-O and Sophos sweep does detect eicar
 >>
 >> /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos EICAR-TEST-FILE
 >>    [snip]
 >> >>> Virus 'EICAR-AV-Test' found in file EICAR-TEST-FILE
 >>
 >> Any suggestions would be appreciated.
 >
 >Mailscanner and Sophos are working fine here and detecting EICAR.
 >
 >"The following e-mails were found to have: Bad Filename Detected :Virus
 >Detected
 >
 >     Sender: a.peacock at chime.ucl.ac.uk
 >IP Address: 128.40.182.49
 >  Recipient: a.peacock at chime.ucl.ac.uk
 >    Subject: Test of eicar
 >  MessageID: m697INiw012407
 >Quarantine: /var/spool/MailScanner/quarantine/20080709/m697INiw012407
 >     Report: Clamd: eicar.com was infected: ./m697INiw012407/eicar.com:
 >Eicar-Test-Signature FOUND
 >             SophosSAVI: eicar.com was infected by EICAR-AV-Test
 >             MailScanner: Executable DOS/Windows programs are dangerous
 >in email (eicar.com)"
 >
 >All I can suggest is to run MailScanner in debug mode and see if there
 >is anything obvious in the debug output.


Anthony, Thanks for this. Upon checking, I found that I had enabled 
debug but had reloaded (rather than restarted the service). In brief, 
the location of the sophos software (in virus.scanners.conf) was not as 
on my old mailhub so sweep had never run. I had been fooled by a real 
virus being rejected but that had been rejected as it is executable.

Paul

More information about the MailScanner mailing list