Fwd: Store viruses only

Jules Field MailScanner at ecs.soton.ac.uk
Sun Nov 22 12:15:34 GMT 2009 

If it's being treated as a "Silent Virus" then it won't be stored in the 
quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in 
MailScanner.conf.

On 22/11/2009 10:26, Monis Monther wrote:
> > I have the clamavmodule and its working fine
>
> How do you know this?
>
>
> I knew because I see in the logs that it is catching stuff
>
>
> Try sending an email through the machine with the EICAR attachment
> (http://www.eicar.org/anti_virus_test_file.htm), and check:
>
> I tried the test , thanks for the link
>
> a) the mail system logs, to see whether MailScanner thinks it's detected a
> virus
>
> In the log , it found it and gave this
>
> Virus and Content Scanning: Starting
> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/
> ClamAVModule::INFECTED:: Eicar-Test-Signature:: 
> ./A32B56E03A2.E8204/eicar.com <http://eicar.com>
> ....
> .....
> Requeue: A32B56E03A2.E8204 to E19D26E009C
> ....
> ....
> Cleaned: Delivered 1 cleaned messages
>
>
> b) the headers of the (presumably) received message, to see whether it 
> tells
> you that anti-virus scanning was performed (X-OrganisationName-
>
>     Viruscheck)
>
> I only had these headers
> X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A
> X-MyDomain-MailScanner: Found to be infected
> X-MyDomain-MailScanner-SpamScore: ss
> X-MyDomain-MailScanner-From: monis.monther at mediaintl.net 
> <mailto:monis.monther at mediaintl.net>
> X-Spam-Status: No
> X-RCPT-TO: <someone>
> Status: U
> X-UIDL: 548082981
>
> So I conclude that it was not detected as spam but as infected , and I 
> got the notification attachment delivered saying call help desk... bal 
> bla
>
> But the attachment was not saved under quarantine, I want the 
> attachments to be saved.
>
>     c) the output of /path/to/MailScanner --lint (to see whether it
>     thinks the
>     antivirus engine is correctly installed and available)
>
>
> It showed that I have clamavmodule successfully installed
>
>
>
> Conclusion: I was mistakes when I thought it was related to spam 
> score, but now I want the virus attachment to be stored in quarantine 
> not deleted, Thanks
>
>
>
>
>
> On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone 
> <Antony.Stone at mailscanner.open.source.it 
> <mailto:Antony.Stone at mailscanner.open.source.it>> wrote:
>
>     On Thursday 19 November 2009, Monis Monther wrote:
>
>     > I have the following
>     >
>     > Virus Scanning = yes
>     > Virus Scanners = clamavmodule
>     > Deliver Disinfected Files = no
>     > Silent Viruses = HTML-IFrame All-Viruses
>     > Still Deliver Silent Viruses = no
>     >
>     > I have the clamavmodule and its working fine
>
>     How do you know this?
>
>     > and when I set HighScore spam = store it started to quarantine
>     virus that
>     > get a high score spam and still delivers viruses that come with
>     low spam
>     > messages
>
>     Are you saying that the quarantined messages (quarantined because
>     they are
>     detected as spam) still contain the virus attachments, or have
>     these been
>     cleaned?
>
>     Try sending an email through the machine with the EICAR attachment
>     (http://www.eicar.org/anti_virus_test_file.htm), and check:
>
>     a) the mail system logs, to see whether MailScanner thinks it's
>     detected a
>     virus
>
>     b) the headers of the (presumably) received message, to see
>     whether it tells
>     you that anti-virus scanning was performed
>     (X-OrganisationName-Viruscheck)
>
>     c) the output of /path/to/MailScanner --lint (to see whether it
>     thinks the
>     antivirus engine is correctly installed and available)
>
>
>     Antony.
>
>     --
>     "Reports that say that something hasn't happened are always
>     interesting to me,
>     because as we know, there are known knowns; there are things we
>     know we know.
>     We also know there are known unknowns; that is to say we know
>     there are some
>     things we do not know. But there are also unknown unknowns - the
>     ones we
>     don't know we don't know."
>
>      - Donald Rumsfeld, US Secretary of Defence
>
>                                                         Please reply
>     to the list;
>                                                               please
>     don't CC me.
>     --
>     MailScanner mailing list
>     mailscanner at lists.mailscanner.info
>     <mailto:mailscanner at lists.mailscanner.info>
>     http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>     Before posting, read http://wiki.mailscanner.info/posting
>
>     Support MailScanner development - buy the book off the website!
>
>

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list