virus detection reporting wrong scanner
Paul Hutchings
paul.hutchings at mira.co.uk
Mon Sep 1 14:02:41 IST 2008
The lint seems to check out just fine. Maybe my understanding is wrong,
but I thought that if multiple engines caught a virus in a message it
listed that multiple engines had detected something in the report that's
sent to postmaster (or wherever) - all I know is I have an entry in
maillog by vba32 saying it detected a virus, at the same time an email
was deleted and a report sent to postmaster saying it was because clam32
had detected a virus - yet there's no report in the postmaster mailbox
that mentions vba32.
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Field
Sent: 01 September 2008 12:20
To: MailScanner discussion
Subject: Re: virus detection reporting wrong scanner
The report is definitely coming from ClamAV (clamav, clamavmodule or
clamd) as the HTML.Phishing.Bank-.... is in their style.
Are you sure you're not looking at a different report from the message?
What does "MailScanner --lint" say about this?
Paul Hutchings wrote:
> Still appears to be happening.
>
> All I did was download the beta and run the usual ./install.sh -
> presumably that would overwrite the manual change I made a week or so
> back to handle the changed vba32 output?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Julian
> Field
> Sent: 31 August 2008 14:11
> To: MailScanner discussion
> Subject: Re: virus detection reporting wrong scanner
>
> Please try this with the latest beta (4.71.9) and let me know if it
> still recurs.
>
> Paul Hutchings wrote:
>
>> I'm using clamd, avg and vba32.
>>
>> In maillog, I see the following:
>>
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: vba32 found
>>
> 1
>
>> infections
>> Aug 31 02:11:56 relay MailScanner[22637]: Infected message
>> C5B321FC55.019F5 came from 217.76.130.123
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning: Found 1
>> viruses
>> Aug 31 02:11:56 relay MailScanner[22637]: Virus Scanning completed at
>> 1731 bytes per second
>>
>> In the report I see this:
>>
>> The following e-mails were found to have: Virus Detected
>>
>> Sender: skatemurcia.com at llgc793.servidoresdns.net
>> IP Address: 217.76.130.123
>> Recipient: someone at ourdomain.com
>> Subject: Security Message - Important System Notification.
>> MessageID: C5B321FC55.019F5
>> Quarantine:
>> Report: Clamd: msg-22637-48.html was infected:
>> HTML.Phishing.Bank-1248
>>
>> Any suggestions? I know last week I had to modify one of the
>> MailScanner files to deal with the way that vba32 output changed
since
>> the last MailScanner release.
>>
>> Lint output:
>>
>> Trying to setlogsock(unix)
>> Read 850 hostnames from the phishing whitelist
>> Read 5262 hostnames from the phishing blacklist
>> Checking version numbers...
>> Version number in MailScanner.conf (4.70.7) is correct.
>>
>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>> MailScanner setting GID to (89)
>> MailScanner setting UID to (89)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temporary working directory is
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>> I have found clamd avg vba32 scanners installed, and will use them
all
>> by default.
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = auto"
>> Found these virus scanners installed: clamd, vba32, avg
>>
>>
>
========================================================================
>
>> ===
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Avg: Virus identified EICAR_Test in eicar.com
>> Virus Scanning: Avg found 1 infections
>> /var/spool/MailScanner/incoming/23308/1/eicar.com : infected
>> EICAR-Test-File
>> Virus Scanning: vba32 found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>>
>>
>
========================================================================
>
>> ===
>> Virus Scanner test reports:
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>> Avg said "Found virus EICAR_Test in file eicar.com"
>> vba32 said "Found virus EICAR-Test-File in eicar.com"
>>
>> If any of your virus scanners (clamd,vba32,avg)
>> are not listed there, you should check that they are installed
>>
> correctly
>
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>> Cheers,
>> Paul
>>
>>
>>
>>
>
> Jules
>
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
MIRA Ltd
Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
Registered in England and Wales No. 402570
VAT Registration GB 114 5409 96
The contents of this e-mail are confidential and are solely for the use of the intended recipient.
If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax.
You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
More information about the MailScanner
mailing list