Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Alex Broens ms-list at alexb.ch
Fri Sep 5 17:20:49 IST 2008


On 9/4/2008 11:33 AM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> Good day All,
>>
>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>
>>
>> MailScanner --lint:
>>
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 2 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 2 viruses
>> Filename Checks:  (1 eicar.com)
>>
>> Doesn't seem right/elegant to me.
>>
>> It causes Mailwatch 1.x to report:
>>
>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>
>>
>> Can anybody reproduce running "MailScanner --lint"
>>
>> Jules?
> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
> I believe it is the correct output.
> Can anyone contradict me?

Jules

Did a fresh test setup on fresh Centos 5.2

ClamAV Full Message Scan = no

only writes 1 "line". - confirmed.

Sep  5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: 
Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar


____
ClamAV Full Message Scan = yes

writes 2 "lines"

Sep  5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: 
HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html
Sep  5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: 
HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/
___

I don't understand why this is necessary and would like to request 
consistency so that "ClamAV Full Message Scan = yes" logs like
"ClamAV Full Message Scan = no"

thanks

Alex




More information about the MailScanner mailing list