all virus scanners reporting found virus

Rose, Bobby brose at med.wayne.edu
Fri Nov 7 13:03:35 GMT 2008


Yep.  Setting Include Scanner Name In Reports = yes is now logging the scanner name.


-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose, Bobby
Sent: Friday, November 07, 2008 7:16 AM
To: MailScanner discussion
Subject: RE: all virus scanners reporting found virus

It's set to no, but it always has been.  I'll set it to yes to see if it makes a difference.  I only noticed the logging problem when my stats script wasn't reporting that info after the upgrade.  And I thought it odd that mine was broke but Paul Houselander's seemed to be working.

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
Sent: Friday, November 07, 2008 4:50 AM
To: MailScanner discussion
Subject: Re: all virus scanners reporting found virus

Can you just confirm you have
Include Scanner Name In Reports = yes
in your MailScanner.conf?

If so, I can't see why you wouldn't get the right output. It's only a 
logging problem.

Rose, Bobby wrote:
> I've noticed something different related to the AV logging.  I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref.  Before, even though I was using Clamd, it was reporting as ClamAVModule.
>
> For example, with 4.71.10, I'd see
> 	Nov  5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ 
>
> After the upgrade to 4.72.5, I see
> 	Nov  5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ 
>
> I've replaced my SweepViruses.pm with the one you posted and it didn't change anything.  Also, I see the same thing on both of my inbound mail routers.  I still see log entries like this so it is using clamd and getting the infected status code back from it.
>
> 	Nov  5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections
>
> Any ideas?
> -=Bobby
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
> Sent: Thursday, November 06, 2008 9:20 AM
> To: MailScanner discussion
> Subject: Re: all virus scanners reporting found virus
>
> Please try the attached SweepViruses.pm file with the latest release of MailScanner.
> Hopefully this will fix the problem. It's actually just a reporting bug.
>
> Jules.
>
> Paul Houselander (SME) wrote:
>   
>> Hi
>>
>> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky
>>
>> I'm using the sanesecurity clam sigs as well.
>>
>> I've just noticed that when Clamd finds an infection the other virus 
>> scanners also say they found an infection even though they didn't
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 
>> messages, 1269 bytes
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for 
>> message mA6C2Gie027792
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam 
>> messages
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning:
>> Starting
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED::
>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/
>>
>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 
>> infections
>>
>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found
>> 2 infections
>>
>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky 
>> found 2 infections
>>
>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message
>> mA6C2Gie027792 came from 79.139.143.136
>>
>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 
>> viruses
>>
>> Is this expected behavior? I've only recently upgraded (and also only 
>> just started using clamd, I used to use clamavmodule) so not sure if 
>> it's always done it or since the upgrade.
>>
>> Cheers
>>
>> Paul
>>
>>     
>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 



More information about the MailScanner mailing list