virus detection reporting wrong scanner

Julian Field MailScanner at ecs.soton.ac.uk
Mon Sep 1 12:20:19 IST 2008


The report is definitely coming from ClamAV (clamav, clamavmodule or 
clamd) as the HTML.Phishing.Bank-.... is in their style.
Are you sure you're not looking at a different report from the message?

What does "MailScanner --lint" say about this?

Paul Hutchings wrote:
> Still appears to be happening.
>
> All I did was download the beta and run the usual ./install.sh -
> presumably that would overwrite the manual change I made a week or so
> back to handle the changed vba32 output?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: 31 August 2008 14:11
> To: MailScanner discussion
> Subject: Re: virus detection reporting wrong scanner
>
> Please try this with the latest beta (4.71.9) and let me know if it 
> still recurs.
>
> Paul Hutchings wrote:
>   
>> I'm using clamd, avg and vba32.
>>
>> In maillog, I see the following:
>>
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
>>     
> 1
>   
>> infections
>> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
>> C5B321FC55.019F5 came from 217.76.130.123
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
>> viruses
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
>> 1731 bytes per second
>>
>> In the report I see this:
>>
>> The following e-mails were found to have: Virus Detected
>>
>>     Sender: skatemurcia.com at llgc793.servidoresdns.net
>> IP Address: 217.76.130.123
>>  Recipient: someone at ourdomain.com
>>    Subject: Security Message - Important System Notification.
>>  MessageID: C5B321FC55.019F5
>> Quarantine: 
>>     Report: Clamd: msg-22637-48.html was infected:
>> HTML.Phishing.Bank-1248 
>>
>> Any suggestions?  I know last week I had to modify one of the
>> MailScanner files to deal with the way that vba32 output changed since
>> the last MailScanner release.
>>
>> Lint output:
>>
>> Trying to setlogsock(unix)
>> Read 850 hostnames from the phishing whitelist
>> Read 5262 hostnames from the phishing blacklist
>> Checking version numbers...
>> Version number in MailScanner.conf (4.70.7) is correct.
>>
>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>> MailScanner setting GID to  (89)
>> MailScanner setting UID to  (89)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temporary working directory is
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>> I have found clamd avg vba32 scanners installed, and will use them all
>> by default.
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: clamd, vba32, avg
>>
>>     
> ========================================================================
>   
>> ===
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Avg: Virus identified EICAR_Test in eicar.com
>> Virus Scanning: Avg found 1 infections
>> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
>> EICAR-Test-File
>> Virus Scanning: vba32 found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>>
>>     
> ========================================================================
>   
>> ===
>> Virus Scanner test reports:
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>> Avg said "Found virus EICAR_Test in file eicar.com"
>> vba32 said "Found virus EICAR-Test-File in eicar.com"
>>
>> If any of your virus scanners (clamd,vba32,avg)
>> are not listed there, you should check that they are installed
>>     
> correctly
>   
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>> Cheers,
>> Paul
>>
>>
>>   
>>     
>
> Jules
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list