all virus scanners reporting found virus

Julian Field MailScanner at ecs.soton.ac.uk
Fri Nov 7 14:36:39 GMT 2008


Yes, thought it might fix it. It logs the same text that goes in the 
reports, intentionally. Do you want me to break it so it always logs the 
scanner name, even if it doesn't report it?

Rose, Bobby wrote:
> Yep.  Setting Include Scanner Name In Reports = yes is now logging the scanner name.
>
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rose, Bobby
> Sent: Friday, November 07, 2008 7:16 AM
> To: MailScanner discussion
> Subject: RE: all virus scanners reporting found virus
>
> It's set to no, but it always has been.  I'll set it to yes to see if it makes a difference.  I only noticed the logging problem when my stats script wasn't reporting that info after the upgrade.  And I thought it odd that mine was broke but Paul Houselander's seemed to be working.
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
> Sent: Friday, November 07, 2008 4:50 AM
> To: MailScanner discussion
> Subject: Re: all virus scanners reporting found virus
>
> Can you just confirm you have
> Include Scanner Name In Reports = yes
> in your MailScanner.conf?
>
> If so, I can't see why you wouldn't get the right output. It's only a 
> logging problem.
>
> Rose, Bobby wrote:
>   
>> I've noticed something different related to the AV logging.  I'm using clamd and since I updated to 4.72.5, then ::INFECTED:: entry is missing Clamd ref.  Before, even though I was using Clamd, it was reporting as ClamAVModule.
>>
>> For example, with 4.71.10, I'd see
>> 	Nov  5 13:58:22 eeyore MailScanner[20251]: ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: ./mA5IveLi001260/ 
>>
>> After the upgrade to 4.72.5, I see
>> 	Nov  5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ 
>>
>> I've replaced my SweepViruses.pm with the one you posted and it didn't change anything.  Also, I see the same thing on both of my inbound mail routers.  I still see log entries like this so it is using clamd and getting the infected status code back from it.
>>
>> 	Nov  5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd found 1 infections
>>
>> Any ideas?
>> -=Bobby
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
>> Sent: Thursday, November 06, 2008 9:20 AM
>> To: MailScanner discussion
>> Subject: Re: all virus scanners reporting found virus
>>
>> Please try the attached SweepViruses.pm file with the latest release of MailScanner.
>> Hopefully this will fix the problem. It's actually just a reporting bug.
>>
>> Jules.
>>
>> Paul Houselander (SME) wrote:
>>   
>>     
>>> Hi
>>>
>>> I'm using MailScanner version 4.72.5 with clamd, f-prot and kaspersky
>>>
>>> I'm using the sanesecurity clam sigs as well.
>>>
>>> I've just noticed that when Clamd finds an infection the other virus 
>>> scanners also say they found an infection even though they didn't
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 
>>> messages, 1269 bytes
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for 
>>> message mA6C2Gie027792
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam 
>>> messages
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning:
>>> Starting
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED::
>>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/
>>>
>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd found 2 
>>> infections
>>>
>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 found
>>> 2 infections
>>>
>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky 
>>> found 2 infections
>>>
>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message
>>> mA6C2Gie027792 came from 79.139.143.136
>>>
>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 
>>> viruses
>>>
>>> Is this expected behavior? I've only recently upgraded (and also only 
>>> just started using clamd, I used to use clamavmodule) so not sure if 
>>> it's always done it or since the upgrade.
>>>
>>> Cheers
>>>
>>> Paul
>>>
>>>     
>>>       
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>
>> --
>> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
>>
>>
>>   
>>     
>
> Jules
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list