Email with virus getting through

Paul Welsh paul at
Mon Oct 1 15:43:58 IST 2012

Hi all I'm running MailScanner 4.84.5 with Clam and F-Prot on CentOS
6.3 with Exim 4.76 and an infected message is being delivered.  Here's
the maillog extract.  I've changed the recipient domain to

Oct  1 10:34:00 mail MailScanner[15454]: Infected message
came from
Oct  1 10:34:01 mail MailScanner[15454]: Message 1TIcNu-0004Ww-Ny from (truismsjb95 at to is not spam,
SpamAssassin (score=2.798, required 6, autolearn=disabled,
Oct  1 10:34:01 mail MailScanner[15454]: Delivery of nonspam: message
1TIcNu-0004Ww-Ny from truismsjb95 at to
postmaster at with subject  Your friend added a new photo
with you to the album

As you can see, it's identified as Infected but still delivered.

If I manually scan the message, I get this from f-prot:
# /opt/f-prot/fpscan Y*.eml
[Found possible security risk] <W32/Heuristic-200!Eldorado (not
disinfectable)> 	Your friend added a new photo with you to the
[Contains infected objects]	Your friend added a new photo with you to
the album.eml

I get this from clam:
# clamscan Y*.eml
Your friend added a new photo with you to the album.eml: OK

----------- SCAN SUMMARY -----------
Known viruses: 1314671
Engine version: 0.97.6
Scanned directories: 0
Scanned files: 1
Infected files: 0

In MailScanner.conf I have these set but neither affect virus
checking, apparently:
Maximum Archive Depth = 0
Find Archives By Content = no

I also have:
Virus Scanning = yes
Virus Scanners = clamav f-prot-6
Deliver Disinfected Files = no
Silent Viruses = HTML-IFrame All-Viruses
Still Deliver Silent Viruses = no
Non-Forging Viruses = Joke/ OF97/ WM97/ W97M/ eicar
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish*
Block Encrypted Messages = no
Allow Password-Protected Archives = no
Check Filenames In Password-Protected Archives = yes
Dangerous Content Scanning = yes
Allow Partial Messages = no
Find Phishing Fraud = yes
Also Find Numeric Phishing = yes
Use Stricter Phishing Net = no

Any ideas?

For now, I have tried this.  Previously it was not set:
Archives: Deny Filenames = \.exe$

More information about the MailScanner mailing list