Infected messages requeued - clamav, postfix, v4.70.7

Julian Field MailScanner at ecs.soton.ac.uk
Fri Jul 11 20:53:52 IST 2008 


David Greenstein wrote:
> I've seen a bunch of similar posts 
> but no resolution to my problem. Simply,
> clamav detects a virus/worm and MailScanner 
> simply requeues the message. I have
> all MailScanner.conf "Quarantine*" 
> variables set to yes and "Deliver*" set to
> no. It appears to me that there is a 
> coding error, but I'm no perl expert. 
> Here is the log:
>
> Jul 11 14:19:52 utm MailScanner[17527]: New Batch: 
> Scanning 1 messages, 2178 bytes
> Jul 11 14:19:54 utm MailScanner[17527]: Virus and 
> Content Scanning: Starting
> Jul 11 14:20:01 utm MailScanner[17527]:
> /var/spool/MailScanner/incoming/17527/./5DF2686B12.AEF01.message:
>
> Eicar-Test-Signature FOUND
> Jul 11 14:20:01 utm MailScanner[17527]: Virus Scanning: 
> ClamAV found 1 infections
> Jul 11 14:20:01 utm MailScanner[17527]: Infected message
> 5DF2686B12.AEF01.message came from 
> Jul 11 14:20:01 utm MailScanner[17527]: Virus Scanning: Found 1 viruses
> Jul 11 14:20:01 utm MailScanner[17527]: 
> MESSAGE virusinfected: 0, 5DF2686B12.AEF01
>   
That "0" looks wrong.
Exactly what versions of MailScanner and the ClamAV virus scanner are 
you using?
What does "MailScanner --lint" produce?
You are presumably using Postfix. What are you printing with your extra 
"MESSAGE virusinfected: 0" line?

No-one else is hitting this problem, as far as I am aware. MailScanner 
certainly doesn't have any glaringly obvious bugs like this in it, it 
works fine for many tens of thousands of sites. So something more subtle 
is going on.

> Jul 11 14:20:02 utm MailScanner[17527]: 
> Requeue: 5DF2686B12.AEF01 to 63BCA86B16
> Jul 11 14:20:02 utm MailScanner[17527]: Uninfected: Delivered 1 messages
>
> I've tried this with a real virus rather 
> than eicar as well with the same
> result. I added the log message 
> "MESSAGE virusinfected: 0". From what I can
> MessageBatch.pm only quarantines 
> messages that have the virusinfected flag set
> to 1. This is set only in SweepViruses.pm. 
> SweepViruses.pm modifies a local copy
> of the Message object though
Perl doesn't do local copies of the Message object.
>  and by the 
> time control returns to MessageBatch.pm
> the original Message object is used 
> which has the virusinfected flag set to 0.
>   
That's not how Perl works.
> Like I said, I'm no perl expert and perhaps 
> I'm missing something. Has anyone
> else experienced this problem? 
> I hope I am missing something!
>
> Thanks in advance,
> Dave 
>
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list