Fwd: Store viruses only

Monis Monther mmmm82 at gmail.com
Mon Nov 23 11:58:31 GMT 2009


OK everyone I also changed the option


Quarantine Silent Virus = yes


I will test and post results here in the list




On Mon, Nov 23, 2009 at 8:53 AM, Monis Monther <mmmm82 at gmail.com> wrote:

> Dear Julian , Thanks for your reply,  I read about what you proposed and
> did the following
>
> 1- Under MailScanner.conf
> Still deliver silent viruses = yes
>
> and I removed the eicar from the nonforgering virus list
>
> 2- Restart the MailScanner service
>
> I sent the eicar virus and in the log I got this
>
> Silent: Delivered 1 messages containing silent viruses
>
>
> Still I did not get the message I only go the attachment that says
>
> The original e-mail attachment "the entire message"
> was believed to be dangerous and/or infected by a virus and has been
> replaced by this warning message.
>
> Due to limitations placed on us by the Regulation of Investigatory Powers
> Act 2000, we were unable to keep a copy of the infected attachment. Please
> ask the sender of the message to disinfect their original version and send
> you a clean copy.
>
>
>
> My Goal is that if someone sent a message that contained a virus, the virus
> should be quarantined/deleted , but the message should reach its recipient
> with the subject changed to virus and the warning attachment sent with it,
> the last two I am achieving but the first I am failing at.Thanks.
>
>
> On Sun, Nov 22, 2009 at 2:15 PM, Jules Field <MailScanner at ecs.soton.ac.uk>wrote:
>
>> If it's being treated as a "Silent Virus" then it won't be stored in the
>> quarantine. Read about "Silent Viruses" and "Non-Forging Viruses" in
>> MailScanner.conf.
>>
>>
>> On 22/11/2009 10:26, Monis Monther wrote:
>>
>>> > I have the clamavmodule and its working fine
>>>
>>> How do you know this?
>>>
>>>
>>> I knew because I see in the logs that it is catching stuff
>>>
>>>
>>> Try sending an email through the machine with the EICAR attachment
>>> (http://www.eicar.org/anti_virus_test_file.htm), and check:
>>>
>>> I tried the test , thanks for the link
>>>
>>> a) the mail system logs, to see whether MailScanner thinks it's detected
>>> a
>>> virus
>>>
>>> In the log , it found it and gave this
>>>
>>> Virus and Content Scanning: Starting
>>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/
>>> ClamAVModule::INFECTED:: Eicar-Test-Signature:: ./A32B56E03A2.E8204/
>>> eicar.com <http://eicar.com>
>>>
>>> ....
>>> .....
>>> Requeue: A32B56E03A2.E8204 to E19D26E009C
>>> ....
>>> ....
>>> Cleaned: Delivered 1 cleaned messages
>>>
>>>
>>> b) the headers of the (presumably) received message, to see whether it
>>> tells
>>> you that anti-virus scanning was performed (X-OrganisationName-
>>>
>>>    Viruscheck)
>>>
>>> I only had these headers
>>> X-MyDomain-MailScanner-ID: AA32E6E03B9.9919A
>>> X-MyDomain-MailScanner: Found to be infected
>>> X-MyDomain-MailScanner-SpamScore: ss
>>> X-MyDomain-MailScanner-From: monis.monther at mediaintl.net <mailto:
>>> monis.monther at mediaintl.net>
>>>
>>> X-Spam-Status: No
>>> X-RCPT-TO: <someone>
>>> Status: U
>>> X-UIDL: 548082981
>>>
>>> So I conclude that it was not detected as spam but as infected , and I
>>> got the notification attachment delivered saying call help desk... bal bla
>>>
>>> But the attachment was not saved under quarantine, I want the attachments
>>> to be saved.
>>>
>>>    c) the output of /path/to/MailScanner --lint (to see whether it
>>>    thinks the
>>>    antivirus engine is correctly installed and available)
>>>
>>>
>>> It showed that I have clamavmodule successfully installed
>>>
>>>
>>>
>>> Conclusion: I was mistakes when I thought it was related to spam score,
>>> but now I want the virus attachment to be stored in quarantine not deleted,
>>> Thanks
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Nov 19, 2009 at 2:26 PM, Antony Stone <
>>> Antony.Stone at mailscanner.open.source.it <mailto:
>>> Antony.Stone at mailscanner.open.source.it>> wrote:
>>>
>>>    On Thursday 19 November 2009, Monis Monther wrote:
>>>
>>>    > I have the following
>>>    >
>>>    > Virus Scanning = yes
>>>    > Virus Scanners = clamavmodule
>>>    > Deliver Disinfected Files = no
>>>    > Silent Viruses = HTML-IFrame All-Viruses
>>>    > Still Deliver Silent Viruses = no
>>>    >
>>>    > I have the clamavmodule and its working fine
>>>
>>>    How do you know this?
>>>
>>>    > and when I set HighScore spam = store it started to quarantine
>>>    virus that
>>>    > get a high score spam and still delivers viruses that come with
>>>    low spam
>>>    > messages
>>>
>>>    Are you saying that the quarantined messages (quarantined because
>>>    they are
>>>    detected as spam) still contain the virus attachments, or have
>>>    these been
>>>    cleaned?
>>>
>>>    Try sending an email through the machine with the EICAR attachment
>>>    (http://www.eicar.org/anti_virus_test_file.htm), and check:
>>>
>>>    a) the mail system logs, to see whether MailScanner thinks it's
>>>    detected a
>>>    virus
>>>
>>>    b) the headers of the (presumably) received message, to see
>>>    whether it tells
>>>    you that anti-virus scanning was performed
>>>    (X-OrganisationName-Viruscheck)
>>>
>>>    c) the output of /path/to/MailScanner --lint (to see whether it
>>>    thinks the
>>>    antivirus engine is correctly installed and available)
>>>
>>>
>>>    Antony.
>>>
>>>    --
>>>    "Reports that say that something hasn't happened are always
>>>    interesting to me,
>>>    because as we know, there are known knowns; there are things we
>>>    know we know.
>>>    We also know there are known unknowns; that is to say we know
>>>    there are some
>>>    things we do not know. But there are also unknown unknowns - the
>>>    ones we
>>>    don't know we don't know."
>>>
>>>     - Donald Rumsfeld, US Secretary of Defence
>>>
>>>                                                        Please reply
>>>    to the list;
>>>                                                              please
>>>    don't CC me.
>>>    --
>>>    MailScanner mailing list
>>>    mailscanner at lists.mailscanner.info
>>>    <mailto:mailscanner at lists.mailscanner.info>
>>>
>>>    http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>
>>>    Before posting, read http://wiki.mailscanner.info/posting
>>>
>>>    Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20091123/6d21a607/attachment-0001.html


More information about the MailScanner mailing list