Mailscanner is not detecting eicar

Anthony Peacock a.peacock at chime.ucl.ac.uk
Thu Jul 10 15:51:24 IST 2008 

Paul Lamb wrote:
> Anthony Peacock wrote
> 
>  >Paul Lamb wrote:
>  >> MailScanner version 4.69.9 is not detecting the eicar test "virus".
>  >>
>  >> (This has not worked previously;I downloaded it a couple of weeks ago
>  >> but have only just configured it.)
>  >>
>  >> Eicar is forwarded whether included in the message text
>  >>
>  >>    mail pal < /etc/mail/EICAR-TEST-FILE
>  >>
>  >> or as at attachment
>  >>
>  >>    echo test | pine -attach /etc/mail/EICAR-TEST-FILE pal
>  >>
>  >>I have tested with eicar included in the parameter Non-Forging Viruses
>  >> and with it not included.
>  >>
>  >> Please note that MailScanner does detect and quarantine the virus
>  >> W32/MyDoom-O and Sophos sweep does detect eicar
>  >>
>  >> /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos EICAR-TEST-FILE
>  >>    [snip]
>  >> >>> Virus 'EICAR-AV-Test' found in file EICAR-TEST-FILE
>  >>
>  >> Any suggestions would be appreciated.
>  >
>  >Mailscanner and Sophos are working fine here and detecting EICAR.
>  >
>  >"The following e-mails were found to have: Bad Filename Detected :Virus
>  >Detected
>  >
>  >     Sender: a.peacock at chime.ucl.ac.uk
>  >IP Address: 128.40.182.49
>  >  Recipient: a.peacock at chime.ucl.ac.uk
>  >    Subject: Test of eicar
>  >  MessageID: m697INiw012407
>  >Quarantine: /var/spool/MailScanner/quarantine/20080709/m697INiw012407
>  >     Report: Clamd: eicar.com was infected: ./m697INiw012407/eicar.com:
>  >Eicar-Test-Signature FOUND
>  >             SophosSAVI: eicar.com was infected by EICAR-AV-Test
>  >             MailScanner: Executable DOS/Windows programs are dangerous
>  >in email (eicar.com)"
>  >
>  >All I can suggest is to run MailScanner in debug mode and see if there
>  >is anything obvious in the debug output.
> 
> 
> Anthony, Thanks for this. Upon checking, I found that I had enabled 
> debug but had reloaded (rather than restarted the service). In brief, 
> the location of the sophos software (in virus.scanners.conf) was not as 
> on my old mailhub so sweep had never run. I had been fooled by a real 
> virus being rejected but that had been rejected as it is executable.

Glad you have got it working.

-- 
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:    http://www.chime.ucl.ac.uk/~rmhiajp/
Study Health Informatics - Modular Postgraduate Degree
http://www.chime.ucl.ac.uk/study-health-informatics/

More information about the MailScanner mailing list