Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Sep 5 20:51:40 IST 2008
Alex Broens wrote:
> On 9/4/2008 11:33 AM, Julian Field wrote:
>>
>>
>> Alex Broens wrote:
>>> Good day All,
>>>
>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>>
>>>
>>> MailScanner --lint:
>>>
>>> Virus and Content Scanning: Starting
>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>>> Virus Scanning: Clamd found 2 infections
>>> Infected message 1 came from 10.1.1.1
>>> Virus Scanning: Found 2 viruses
>>> Filename Checks: (1 eicar.com)
>>>
>>> Doesn't seem right/elegant to me.
>>>
>>> It causes Mailwatch 1.x to report:
>>>
>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>>
>>>
>>> Can anybody reproduce running "MailScanner --lint"
>>>
>>> Jules?
>> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
>> I believe it is the correct output.
>> Can anyone contradict me?
>
> Jules
>
> Did a fresh test setup on fresh Centos 5.2
>
> ClamAV Full Message Scan = no
>
> only writes 1 "line". - confirmed.
>
> Sep 5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED::
> Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar
>
>
> ____
> ClamAV Full Message Scan = yes
>
> writes 2 "lines"
>
> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED::
> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html
> Sep 5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED::
> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/
> ___
>
> I don't understand why this is necessary and would like to request
> consistency so that "ClamAV Full Message Scan = yes" logs like
> "ClamAV Full Message Scan = no"
So you want me to *not* log the fact that the Full Message Scan found a
virus? Seems a bit strange to me...
Do other people agree with me or Alex?
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list