Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.
Alex Broens
ms-list at alexb.ch
Fri Sep 5 17:20:49 IST 2008
On 9/4/2008 11:33 AM, Julian Field wrote:
>
>
> Alex Broens wrote:
>> Good day All,
>>
>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>
>>
>> MailScanner --lint:
>>
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 2 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 2 viruses
>> Filename Checks: (1 eicar.com)
>>
>> Doesn't seem right/elegant to me.
>>
>> It causes Mailwatch 1.x to report:
>>
>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>
>>
>> Can anybody reproduce running "MailScanner --lint"
>>
>> Jules?
> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
> I believe it is the correct output.
> Can anyone contradict me?
Jules
Did a fresh test setup on fresh Centos 5.2
ClamAV Full Message Scan = no
only writes 1 "line". - confirmed.
Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED::
Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar
____
ClamAV Full Message Scan = yes
writes 2 "lines"
Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED::
HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html
Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED::
HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/
___
I don't understand why this is necessary and would like to request
consistency so that "ClamAV Full Message Scan = yes" logs like
"ClamAV Full Message Scan = no"
thanks
Alex
More information about the MailScanner
mailing list