Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Alex Broens ms-list at alexb.ch
Thu Sep 4 14:24:03 IST 2008


On 9/4/2008 3:04 PM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> On 9/4/2008 11:33 AM, Julian Field wrote:
>>>
>>>
>>> Alex Broens wrote:
>>>> Good day All,
>>>>
>>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>>>
>>>>
>>>> MailScanner --lint:
>>>>
>>>> Virus and Content Scanning: Starting
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>>>> Virus Scanning: Clamd found 2 infections
>>>> Infected message 1 came from 10.1.1.1
>>>> Virus Scanning: Found 2 viruses
>>>> Filename Checks:  (1 eicar.com)
>>>>
>>>> Doesn't seem right/elegant to me.
>>>>
>>>> It causes Mailwatch 1.x to report:
>>>>
>>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>>>
>>>>
>>>> Can anybody reproduce running "MailScanner --lint"
>>>>
>>>> Jules?
>>> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
>>> I believe it is the correct output.
>>> Can anyone contradict me?
>>
>> If that would be the case, is the logging is slightly borked?
>> imo, only the infected file is relevant.
> But everything that Mailwatch has reported is correct.

Mailwatch is not the problem...
it reports what MS spits at it.

"ClamAV Full Message Scan = yes"
shouldn't affect it as its still one virus.

imo, MS is doing something unusual:

MS using clamd, NOT clamavmodule

1: logging as ClamAVModule
2: Reporting 2 lines when it would be expected to report 1


Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections

the report above is pretty confusing, isn't it?

Alex




More information about the MailScanner mailing list