Mailscanner is not detecting eicar

Fri Jul 11 14:48:57 IST 2008

Anthony Peacock wrote:
> Paul Lamb wrote:
>> Anthony Peacock wrote
>>
>>  >Paul Lamb wrote:
>>  >> MailScanner version 4.69.9 is not detecting the eicar test "virus".
>>  >>
>>  >> (This has not worked previously;I downloaded it a couple of weeks 
>> ago
>>  >> but have only just configured it.)
>>  >>
>>  >> Eicar is forwarded whether included in the message text
>>  >>
>>  >>    mail pal < /etc/mail/EICAR-TEST-FILE
>>  >>
>>  >> or as at attachment
>>  >>
>>  >>    echo test | pine -attach /etc/mail/EICAR-TEST-FILE pal
>>  >>
>>  >>I have tested with eicar included in the parameter Non-Forging 
>> Viruses
>>  >> and with it not included.
>>  >>
>>  >> Please note that MailScanner does detect and quarantine the virus
>>  >> W32/MyDoom-O and Sophos sweep does detect eicar
>>  >>
>>  >> /usr/lib/MailScanner/sophos-wrapper /usr/local/Sophos 
>> EICAR-TEST-FILE
>>  >>    [snip]
>>  >> >>> Virus 'EICAR-AV-Test' found in file EICAR-TEST-FILE
>>  >>
>>  >> Any suggestions would be appreciated.
>>  >
>>  >Mailscanner and Sophos are working fine here and detecting EICAR.
>>  >
>>  >"The following e-mails were found to have: Bad Filename Detected 
>> :Virus
>>  >Detected
>>  >
>>  >     Sender: a.peacock at chime.ucl.ac.uk
>>  >IP Address: 128.40.182.49
>>  >  Recipient: a.peacock at chime.ucl.ac.uk
>>  >    Subject: Test of eicar
>>  >  MessageID: m697INiw012407
>>  >Quarantine: /var/spool/MailScanner/quarantine/20080709/m697INiw012407
>>  >     Report: Clamd: eicar.com was infected: 
>> ./m697INiw012407/eicar.com:
>>  >Eicar-Test-Signature FOUND
>>  >             SophosSAVI: eicar.com was infected by EICAR-AV-Test
>>  >             MailScanner: Executable DOS/Windows programs are 
>> dangerous
>>  >in email (eicar.com)"
>>  >
>>  >All I can suggest is to run MailScanner in debug mode and see if there
>>  >is anything obvious in the debug output.
>>
>>
>> Anthony, Thanks for this. Upon checking, I found that I had enabled 
>> debug but had reloaded (rather than restarted the service). In brief, 
>> the location of the sophos software (in virus.scanners.conf) was not 
>> as on my old mailhub so sweep had never run. I had been fooled by a 
>> real virus being rejected but that had been rejected as it is 
>> executable.
>
> Glad you have got it working.
>
As a note for future reference, remember the "MailScanner --lint" 
command as this would probably have shown this problem up rather faster.

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.