MailScanner 4.72.2-1 and clamavmodule

Chris Stone axisml at gmail.com
Tue Sep 30 19:50:39 IST 2008


On Tue, Sep 30, 2008 at 5:22 AM, Jan Elmqvist Nielsen <jen at ah.dk> wrote:
> I have used install-Clam-0.94-SA-3.2.5
>
> Clamavmodule dosn't report
> ClamAVModule::INFECTED:: Trojan.Agent-52097:: ./m8UAsTP2019721/
> in maillog
>
> Only
> Virus Scanning: ClamAVModule found 1 infections

I've seen, for a couple of versions now, where even without
ClamAVModule installed and everything configured to use clamd, in my
maillog, I get some:

Sep 30 11:47:47 smtp1 MailScanner[23822]: ClamAVModule::INFECTED::
MSRBL-Images.0-0-wxYz.UNOFFICIAL :: ./m8UHfhwq002699/49266_44444.jpg
Sep 30 11:49:49 smtp1 MailScanner[22866]: ClamAVModule::INFECTED::
Email.Malware.Sanesecurity.08022212.UNOFFICIAL FOUND ::
./m8UHhpO7003361/
Sep 30 11:50:22 smtp1 MailScanner[25396]: ClamAVModule::INFECTED::
Html.Phishing.Bank.SenetAxis.20080924002.UNOFFICIAL FOUND ::
./m8UHciOX001987/
Sep 30 11:50:22 smtp1 MailScanner[25396]: ClamAVModule::INFECTED::
Html.Phishing.Bank.SenetAxis.20080924002.UNOFFICIAL ::
./m8UHciOX001987/msg-25396-274.html

Most of the viruses found reference Clamd. Don't know if this might be
related to your problem. Your --lint does show you have ClamAVModule
installed, so if you want to use just clamd, then try removing
ClamAVModule and setting MailScanner.conf to use clamd. My --lint:

[root at smtp1 root]# MailScanner --lint
Trying to setlogsock(unix)
Config: calling custom init function SQLSpamScores
Read 5 Spam entries
Config: calling custom init function SQLBlacklist
Starting up SQL Blacklist
Read 321 blacklist entries
Config: calling custom init function MailWatchLogging
Started SQL Logging child
Config: calling custom init function SQLNoScan
Read 3 No Spam Scan entries
Config: calling custom init function SQLHighSpamScores
Read 7 high Spam entries
Config: calling custom init function SQLWhitelist
Starting up SQL Whitelist
Read 880 whitelist entries
Checking version numbers...
Version number in MailScanner.conf (4.70.6) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.

Checking for SpamAssassin errors (if you use it)...
SpamAssassin temporary working directory is
/var/spool/MailScanner/incoming/SpamAssassin-Temp
SpamAssassin temp dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamd
===========================================================================
Virus and Content Scanning: Starting
ClamAVModule::INFECTED:: Eicar-Test-Signature FOUND :: ./1/
ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
Filename Checks:  (1 eicar.com)
Other Checks: Found 1 problems
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLSpamScores
Closing down SQL Spam Scores
Config: calling custom end function SQLBlacklist
Closing down by-domain spam blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLNoScan
Closing down SQL No Scan
Config: calling custom end function SQLHighSpamScores
Closing down SQL High Spam Scores
Config: calling custom end function SQLWhitelist
Closing down by-domain spam whitelist


More information about the MailScanner mailing list