Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.
Alex Broens
ms-list at alexb.ch
Thu Sep 4 14:24:03 IST 2008
On 9/4/2008 3:04 PM, Julian Field wrote:
>
>
> Alex Broens wrote:
>> On 9/4/2008 11:33 AM, Julian Field wrote:
>>>
>>>
>>> Alex Broens wrote:
>>>> Good day All,
>>>>
>>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>>>
>>>>
>>>> MailScanner --lint:
>>>>
>>>> Virus and Content Scanning: Starting
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>>>> Virus Scanning: Clamd found 2 infections
>>>> Infected message 1 came from 10.1.1.1
>>>> Virus Scanning: Found 2 viruses
>>>> Filename Checks: (1 eicar.com)
>>>>
>>>> Doesn't seem right/elegant to me.
>>>>
>>>> It causes Mailwatch 1.x to report:
>>>>
>>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>>>
>>>>
>>>> Can anybody reproduce running "MailScanner --lint"
>>>>
>>>> Jules?
>>> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
>>> I believe it is the correct output.
>>> Can anyone contradict me?
>>
>> If that would be the case, is the logging is slightly borked?
>> imo, only the infected file is relevant.
> But everything that Mailwatch has reported is correct.
Mailwatch is not the problem...
it reports what MS spits at it.
"ClamAV Full Message Scan = yes"
shouldn't affect it as its still one virus.
imo, MS is doing something unusual:
MS using clamd, NOT clamavmodule
1: logging as ClamAVModule
2: Reporting 2 lines when it would be expected to report 1
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
the report above is pretty confusing, isn't it?
Alex
More information about the MailScanner
mailing list