virus detection reporting wrong scanner
Paul Hutchings
paul.hutchings at mira.co.uk
Mon Sep 1 08:37:42 IST 2008
Still appears to be happening.
All I did was download the beta and run the usual ./install.sh -
presumably that would overwrite the manual change I made a week or so
back to handle the changed vba32 output?
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Field
Sent: 31 August 2008 14:11
To: MailScanner discussion
Subject: Re: virus detection reporting wrong scanner
Please try this with the latest beta (4.71.9) and let me know if it
still recurs.
Paul Hutchings wrote:
> I'm using clamd, avg and vba32.
>
> In maillog, I see the following:
>
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
1
> infections
> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
> C5B321FC55.019F5 came from 217.76.130.123
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
> viruses
> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
> 1731 bytes per second
>
> In the report I see this:
>
> The following e-mails were found to have: Virus Detected
>
> Sender: skatemurcia.com at llgc793.servidoresdns.net
> IP Address: 217.76.130.123
> Recipient: someone at ourdomain.com
> Subject: Security Message - Important System Notification.
> MessageID: C5B321FC55.019F5
> Quarantine:
> Report: Clamd: msg-22637-48.html was infected:
> HTML.Phishing.Bank-1248
>
> Any suggestions? I know last week I had to modify one of the
> MailScanner files to deal with the way that vba32 output changed since
> the last MailScanner release.
>
> Lint output:
>
> Trying to setlogsock(unix)
> Read 850 hostnames from the phishing whitelist
> Read 5262 hostnames from the phishing blacklist
> Checking version numbers...
> Version number in MailScanner.conf (4.70.7) is correct.
>
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to (89)
> MailScanner setting UID to (89)
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temporary working directory is
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> I have found clamd avg vba32 scanners installed, and will use them all
> by default.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = auto"
> Found these virus scanners installed: clamd, vba32, avg
>
========================================================================
> ===
> Virus and Content Scanning: Starting
> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 1 infections
> Avg: Virus identified EICAR_Test in eicar.com
> Virus Scanning: Avg found 1 infections
> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
> EICAR-Test-File
> Virus Scanning: vba32 found 1 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 1 viruses
>
========================================================================
> ===
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
> Avg said "Found virus EICAR_Test in file eicar.com"
> vba32 said "Found virus EICAR-Test-File in eicar.com"
>
> If any of your virus scanners (clamd,vba32,avg)
> are not listed there, you should check that they are installed
correctly
> and that MailScanner is finding them correctly via its
> virus.scanners.conf.
>
> Cheers,
> Paul
>
>
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96
The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
More information about the MailScanner
mailing list