Sophos & ClamAV + Sanesecurity

Julian Field MailScanner at ecs.soton.ac.uk
Tue Jan 12 15:28:02 GMT 2010 


On 12/01/2010 14:57, ThB wrote:
> On  Tue, 12 Jan 2010 09:59:24, Julian Field wrote:
>    
>> I have just done a quick test of the spam-virus code.
>> When I send it a message containing a spam-virus, I get this in the
>> headers of the message:
>>
>> X-JKF-MailScanner: Found to be clean
>> X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
>> X-JKF-MailScanner-SpamScore: ss
>> X-JKF-MailScanner-From: toucanv at rondalynresort.com
>> X-Spam-Status: No
>>      
> Yes, this is what I expect. This result I get when only using ClamAV&  SA
> is used, but no additional virus scanner.
>
> I use ClamAV _and_ Sophos at the same Time and I suspect the problem only
> occurs when ClamAV says that it's a spam-virus but Sophos says it's a real
> virus. In this special case SA is not run (and therefore the SpamScore is
> missing) but the Message is also not quarantined.
>    
Please can you send me a test message demonstrating this problem?
Your best bet is to put it on a website (not linked from anywhere) and 
email me the URL to mailscanner at ecs.soton.ac.uk. Then I can try your 
test case and produce a fix for you.
> If ClamAV and/or Sophos say it's a real virus then the message is
> quarantined. If only ClamAV says it's a spam-virus then SA correctly sets
> the SpamScore.
>
>    
>> which is exactly what I want. It is not virus-infected, it has a
>> spamvirus, and its spam-status is no because the score added by the rule
>> in spam.assassin.prefs.conf wasn't enough to get it over the spam
>> threshold.
>>      
> I agree as long as there is not any other virus scanner telling me that's
> a virus. In my opinion must the message be treated as infected, if one of
> several virus scanner tell me it contains a real virus. Even if ClamAV
> tells it's only a spam virus.
>
>    
>> If I set the score in spam.assassin.prefs.conf file to something above
>> the high-score threshold, I get this:
>>
>> X-JKF-MailScanner: Found to be clean
>> X-MailScanner-SpamVirus-Report: Sanesecurity.Jurlbl.8564.UNOFFICIAL
>> X-JKF-MailScanner-SpamCheck: spam, SpamAssassin (score=17.878, required 6,
>>       BAYES_50 0.00, HTML_IMAGE_ONLY_20 1.55, HTML_MESSAGE 0.00,
>>       MS_FOUND_SPAMVIRUS 15.00, RCVD_IN_SORBS_WEB 0.62,
>>       SARE_RECV_IP_FROMIP3 0.71)
>> X-JKF-MailScanner-SpamScore: sssssssssssssssss
>> X-JKF-MailScanner-From: toucanv at rondalynresort.com
>> X-Spam-Status: High
>>
>> Again, it has taken the correct spam action and not marked it as a virus.
>>      
> Yes, it exactly works this way if Sophos (or any other virus scanner?)
> does not detect a virus in the very same message.
>
>    
>> Note that setting up the SpamVirus stuff involves taking a quick peek
>> into /etc/MailScanner/spam.assassin.prefs.conf as well as
>> /etc/MailScanner/MailScanner.conf as SpamAssassin needs to know what
>> header name it is looking for to assign the spam score.
>>
>> Hope that helps resolve your difficulties.
>>
>> It does all appear to work as I intended.
>>
>> Jules.
>>
>>      
> regards
> Thomas
>
> PS: Sorry for breaking the thread, but it's not possible to reply when
> using text digest of this list.
>
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list