all virus scanners reporting found virus

Rose, Bobby brose at med.wayne.edu
Mon Nov 10 16:08:50 GMT 2008


Julian, this patched SweepVirus.pm took care of the issue.  It now logs the scanner name in the logs even when the configs are to not include the scanner name in the email reports which is what I was looking for. 

Thanks
-=B

-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian Field
Sent: Friday, November 07, 2008 9:59 AM
To: MailScanner discussion
Subject: Re: all virus scanners reporting found virus

Try the attached SweepViruses.pm, it should now always log it, even if it won't include it in reports.

Julian Field wrote:
> Yes, thought it might fix it. It logs the same text that goes in the 
> reports, intentionally. Do you want me to break it so it always logs 
> the scanner name, even if it doesn't report it?
>
> Rose, Bobby wrote:
>> Yep.  Setting Include Scanner Name In Reports = yes is now logging 
>> the scanner name.
>>
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>> Rose, Bobby
>> Sent: Friday, November 07, 2008 7:16 AM
>> To: MailScanner discussion
>> Subject: RE: all virus scanners reporting found virus
>>
>> It's set to no, but it always has been.  I'll set it to yes to see if 
>> it makes a difference.  I only noticed the logging problem when my 
>> stats script wasn't reporting that info after the upgrade.  And I 
>> thought it odd that mine was broke but Paul Houselander's seemed to 
>> be working.
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>> Julian Field
>> Sent: Friday, November 07, 2008 4:50 AM
>> To: MailScanner discussion
>> Subject: Re: all virus scanners reporting found virus
>>
>> Can you just confirm you have
>> Include Scanner Name In Reports = yes in your MailScanner.conf?
>>
>> If so, I can't see why you wouldn't get the right output. It's only a 
>> logging problem.
>>
>> Rose, Bobby wrote:
>>  
>>> I've noticed something different related to the AV logging.  I'm 
>>> using clamd and since I updated to 4.72.5, then ::INFECTED:: entry 
>>> is missing Clamd ref.  Before, even though I was using Clamd, it was 
>>> reporting as ClamAVModule.
>>>
>>> For example, with 4.71.10, I'd see
>>>     Nov  5 13:58:22 eeyore MailScanner[20251]: 
>>> ClamAVModule::INFECTED:: Sanesecurity.Hdr.8338.UNOFFICIAL FOUND :: 
>>> ./mA5IveLi001260/
>>> After the upgrade to 4.72.5, I see
>>>     Nov  5 14:13:49 eeyore MailScanner[8199]: ::INFECTED:: 
>>> Phishing.Heuristics.Email.SpoofedDomain :: ./mA5JDfbU009742/ I've 
>>> replaced my SweepViruses.pm with the one you posted and it didn't 
>>> change anything.  Also, I see the same thing on both of my inbound 
>>> mail routers.  I still see log entries like this so it is using 
>>> clamd and getting the infected status code back from it.
>>>
>>>     Nov  5 14:13:48 eeyore MailScanner[8199]: Virus Scanning: Clamd 
>>> found 1 infections
>>>
>>> Any ideas?
>>> -=Bobby
>>>
>>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of 
>>> Julian Field
>>> Sent: Thursday, November 06, 2008 9:20 AM
>>> To: MailScanner discussion
>>> Subject: Re: all virus scanners reporting found virus
>>>
>>> Please try the attached SweepViruses.pm file with the latest release 
>>> of MailScanner.
>>> Hopefully this will fix the problem. It's actually just a reporting 
>>> bug.
>>>
>>> Jules.
>>>
>>> Paul Houselander (SME) wrote:
>>>      
>>>> Hi
>>>>
>>>> I'm using MailScanner version 4.72.5 with clamd, f-prot and 
>>>> kaspersky
>>>>
>>>> I'm using the sanesecurity clam sigs as well.
>>>>
>>>> I've just noticed that when Clamd finds an infection the other 
>>>> virus scanners also say they found an infection even though they 
>>>> didn't
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: New Batch: Scanning 1 
>>>> messages, 1269 bytes
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: SpamAssassin cache hit for 
>>>> message mA6C2Gie027792
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Spam Checks: Found 1 spam 
>>>> messages
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus and Content Scanning:
>>>> Starting
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Clamd::INFECTED::
>>>> Sanesecurity.Hdr.8232.UNOFFICIAL :: ./mA6C2Gie027792/
>>>>
>>>> Nov 6 12:02:19 tokyo MailScanner[27046]: Virus Scanning: Clamd 
>>>> found 2 infections
>>>>
>>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: F-Prot6 
>>>> found
>>>> 2 infections
>>>>
>>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Kaspersky 
>>>> found 2 infections
>>>>
>>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Infected message
>>>> mA6C2Gie027792 came from 79.139.143.136
>>>>
>>>> Nov 6 12:02:21 tokyo MailScanner[27046]: Virus Scanning: Found 2 
>>>> viruses
>>>>
>>>> Is this expected behavior? I've only recently upgraded (and also 
>>>> only just started using clamd, I used to use clamavmodule) so not 
>>>> sure if it's always done it or since the upgrade.
>>>>
>>>> Cheers
>>>>
>>>> Paul
>>>>
>>>>           
>>> Jules
>>>
>>> --
>>> Julian Field MEng CITP CEng
>>> www.MailScanner.info
>>> Buy the MailScanner book at www.MailScanner.info/store
>>>
>>> Need help customising MailScanner?
>>> Contact me!
>>> Need help fixing or optimising your systems?
>>> Contact me!
>>> Need help getting you started solving new requirements from your boss?
>>> Contact me!
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>>
>>> --
>>> This message has been scanned for viruses and dangerous content by 
>>> MailScanner, and is believed to be clean.
>>>
>>>
>>>       
>>
>> Jules
>>
>>   
>
> Jules
>

Jules

--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.




More information about the MailScanner mailing list