Fwd: Store viruses only

Monis Monther mmmm82 at gmail.com
Mon Nov 23 06:53:21 GMT 2009 

Dear Julian , Thanks for your reply,  I read about what you proposed and did
the following

1- Under MailScanner.conf
Still deliver silent viruses = yes

and I removed the eicar from the nonforgering virus list

2- Restart the MailScanner service

I sent the eicar virus and in the log I got this

Silent: Delivered 1 messages containing silent viruses


Still I did not get the message I only go the attachment that says

The original e-mail attachment "the entire message"
was believed to be dangerous and/or infected by a virus and has been
replaced by this warning message.

Due to limitations placed on us by the Regulation of Investigatory Powers
Act 2000, we were unable to keep a copy of the infected attachment. Please
ask the sender of the message to disinfect their original version and send
you a clean copy.



My Goal is that if someone sent a message that contained a virus, the virus
should be quarantined/deleted , but the message should reach its recipient
with the subject changed to virus and the warning attachment sent with it,
the last two I am achieving but the first I am failing at.Thanks.


On Sun, Nov 22, 2009 at 2:15 PM, Jules Field <MailScanner at ecs.soton.ac.uk>wrote:

> If it's being treated as a "Silent Virus" then it won't be stored in the
> quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in
> MailScanner.conf.
>
>
> On 22/11/2009 10:26, Monis Monther wrote:
>
>> > I have the clamavmodule and its working fine
>>
>> How do you know this?
>>
>>
>> I knew because I see in the logs that it is catching stuff
>>
>>
>> Try sending an email through the machine with the EICAR attachment
>> (http://www.eicar.org/anti_virus_test_file.htm), and check:
>>
>> I tried the test , thanks for the link
>>
>> a) the mail system logs, to see whether MailScanner thinks it's detected a
>> virus
>>
>> In the log , it found it and gave this
>>
>> Virus and Content Scanning: Starting
>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/
>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/
>> eicar.com <http://eicar.com>
>>
>> ....
>> .....
>> Requeue: A32B56E03A2.E8204 to E19D26E009C
>> ....
>> ....
>> Cleaned: Delivered 1 cleaned messages
>>
>>
>> b) the headers of the (presumably) received message, to see whether it
>> tells
>> you that anti-virus scanning was performed (X-OrganisationName-
>>
>>    Viruscheck)
>>
>> I only had these headers
>> X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A
>> X-MyDomain-MailScanner: Found to be infected
>> X-MyDomain-MailScanner-SpamScore: ss
>> X-MyDomain-MailScanner-From: monis.monther at mediaintl.net <mailto:
>> monis.monther at mediaintl.net>
>>
>> X-Spam-Status: No
>> X-RCPT-TO: <someone>
>> Status: U
>> X-UIDL: 548082981
>>
>> So I conclude that it was not detected as spam but as infected , and I got
>> the notification attachment delivered saying call help desk... bal bla
>>
>> But the attachment was not saved under quarantine, I want the attachments
>> to be saved.
>>
>>    c) the output of /path/to/MailScanner --lint (to see whether it
>>    thinks the
>>    antivirus engine is correctly installed and available)
>>
>>
>> It showed that I have clamavmodule successfully installed
>>
>>
>>
>> Conclusion: I was mistakes when I thought it was related to spam score,
>> but now I want the virus attachment to be stored in quarantine not deleted,
>> Thanks
>>
>>
>>
>>
>>
>> On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone <
>> Antony.Stone at mailscanner.open.source.it <mailto:
>> Antony.Stone at mailscanner.open.source.it>> wrote:
>>
>>    On Thursday 19 November 2009, Monis Monther wrote:
>>
>>    > I have the following
>>    >
>>    > Virus Scanning = yes
>>    > Virus Scanners = clamavmodule
>>    > Deliver Disinfected Files = no
>>    > Silent Viruses = HTML-IFrame All-Viruses
>>    > Still Deliver Silent Viruses = no
>>    >
>>    > I have the clamavmodule and its working fine
>>
>>    How do you know this?
>>
>>    > and when I set HighScore spam = store it started to quarantine
>>    virus that
>>    > get a high score spam and still delivers viruses that come with
>>    low spam
>>    > messages
>>
>>    Are you saying that the quarantined messages (quarantined because
>>    they are
>>    detected as spam) still contain the virus attachments, or have
>>    these been
>>    cleaned?
>>
>>    Try sending an email through the machine with the EICAR attachment
>>    (http://www.eicar.org/anti_virus_test_file.htm), and check:
>>
>>    a) the mail system logs, to see whether MailScanner thinks it's
>>    detected a
>>    virus
>>
>>    b) the headers of the (presumably) received message, to see
>>    whether it tells
>>    you that anti-virus scanning was performed
>>    (X-OrganisationName-Viruscheck)
>>
>>    c) the output of /path/to/MailScanner --lint (to see whether it
>>    thinks the
>>    antivirus engine is correctly installed and available)
>>
>>
>>    Antony.
>>
>>    --
>>    "Reports that say that something hasn't happened are always
>>    interesting to me,
>>    because as we know, there are known knowns; there are things we
>>    know we know.
>>    We also know there are known unknowns; that is to say we know
>>    there are some
>>    things we do not know. But there are also unknown unknowns - the
>>    ones we
>>    don't know we don't know."
>>
>>     - Donald Rumsfeld, US Secretary of Defence
>>
>>                                                        Please reply
>>    to the list;
>>                                                              please
>>    don't CC me.
>>    --
>>    MailScanner mailing list
>>    mailscanner at lists.mailscanner.info
>>    <mailto:mailscanner at lists.mailscanner.info>
>>
>>    http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>    Before posting, read http://wiki.mailscanner.info/posting
>>
>>    Support MailScanner development - buy the book off the website!
>>
>>
>>
> Jules
>
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091123/217a49f4/attachment.html

More information about the MailScanner mailing list