all virus scanners reporting found virus

Rose, Bobby brose at med.wayne.edu
Fri Nov 7 01:45:54 GMT 2008


I've noticed something different related to the AV logging.  I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref.  Before, even though I was using Clamd, it was reporting as ClamAVModule.

For example, with 4.71.10, I'd see
	Nov  5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ 

After the upgrade to 4.72.5, I see
	Nov  5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ 

I've replaced my SweepViruses.pm with the one you posted and it didn't change anything.  Also, I see the same thing on both of my inbound mail routers.  I still see log entries like this so it is using clamd and getting the infected status code back from it.

	Nov  5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections

Any ideas?
-=Bobby


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
Sent: Thursday, November 06, 2008 9:20 AM
To: MailScanner discussion
Subject: Re: all virus scanners reporting found virus

Please try the attached SweepViruses.pm file with the latest release of MailScanner.
Hopefully this will fix the problem. It's actually just a reporting bug.

Jules.

Paul Houselander (SME) wrote:
>
> Hi
>
> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky
>
> I'm using the sanesecurity clam sigs as well.
>
> I've just noticed that when Clamd finds an infection the other virus 
> scanners also say they found an infection even though they didn't
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 
> messages, 1269 bytes
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for 
> message mA6C2Gie027792
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam 
> messages
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning:
> Starting
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED::
> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/
>
> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 
> infections
>
> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found
> 2 infections
>
> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky 
> found 2 infections
>
> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message
> mA6C2Gie027792 came from 79.139.143.136
>
> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 
> viruses
>
> Is this expected behavior? I've only recently upgraded (and also only 
> just started using clamd, I used to use clamavmodule) so not sure if 
> it's always done it or since the upgrade.
>
> Cheers
>
> Paul
>

Jules

--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.




More information about the MailScanner mailing list