Mailscanner Version 4.71.10-1 / ClamAV 0.94 infection reporting.

Alex Broens ms-list at alexb.ch
Fri Sep 5 21:37:15 IST 2008


On 9/5/2008 9:51 PM, Julian Field wrote:
> 
> 
> Alex Broens wrote:
>> On 9/4/2008 11:33 AM, Julian Field wrote:
>>>
>>>
>>> Alex Broens wrote:
>>>> Good day All,
>>>>
>>>> Mailscanner Version 4.71.10-1 / ClamAV 0.94 using ClamD
>>>>
>>>>
>>>> MailScanner --lint:
>>>>
>>>> Virus and Content Scanning: Starting
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
>>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>>>> Virus Scanning: Clamd found 2 infections
>>>> Infected message 1 came from 10.1.1.1
>>>> Virus Scanning: Found 2 viruses
>>>> Filename Checks:  (1 eicar.com)
>>>>
>>>> Doesn't seem right/elegant to me.
>>>>
>>>> It causes Mailwatch 1.x to report:
>>>>
>>>> Clamd: message was infected: Trojan.Fakealert-532 FOUND
>>>> Clamd: Late.Night.rar was infected: Trojan.Fakealert-532
>>>>
>>>>
>>>> Can anybody reproduce running "MailScanner --lint"
>>>>
>>>> Jules?
>>> The "./1/" line is caused by "ClamAV Full Message Scan = yes".
>>> I believe it is the correct output.
>>> Can anyone contradict me?
>>
>> Jules
>>
>> Did a fresh test setup on fresh Centos 5.2
>>
>> ClamAV Full Message Scan = no
>>
>> only writes 1 "line". - confirmed.
>>
>> Sep  5 18:12:52 ms1 MailScanner[8640]: ClamAVModule::INFECTED:: 
>> Trojan.Fakealert-532 :: ./00AD510082F2.3A2DC/Late.Night.rar
>>
>>
>> ____
>> ClamAV Full Message Scan = yes
>>
>> writes 2 "lines"
>>
>> Sep  5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: 
>> HTML.Phishing.Bank-1272 :: ./815BD10082B5.02C82/msg-2747-17.html
>> Sep  5 17:53:09 ms1 MailScanner[2747]: ClamAVModule::INFECTED:: 
>> HTML.Phishing.Bank-1272 FOUND :: ./815BD10082B5.02C82/
>> ___
>>
>> I don't understand why this is necessary and would like to request 
>> consistency so that "ClamAV Full Message Scan = yes" logs like
>> "ClamAV Full Message Scan = no"
> So you want me to *not* log the fact that the Full Message Scan found a 
> virus? Seems a bit strange to me...

nope.. I only want to see what virus it caught, once
see above; you're redundant, reporting the same guy twice although its 
one file, and in this case, not even, it was a phishing msg with no 
attachment.

> Do other people agree with me or Alex?
am I the only one looking at logs? :-)

Alex



More information about the MailScanner mailing list