Mailscanner / Sophos does not block viruses

[ci at holmco.de]

On Fri, Nov 08, 2013 at 08:06:47AM -0800 you wrote:

> Current version is 4.84.6. 4.79.11 is almost 4 years old. There's
> nothing specific about this issue at
> <http://www.mailscanner.info/ChangeLog>, but upgrading may help.

It's the latest stabile version for Debian (as linked from
mailscanner.info). Debian is the distribution we use for our mail
server. I hope that critical updates have been backported to the
Debian package.

Here are a few log entries of my eicar test mail:

mail.log:

Nov 11 09:49:02 mail MailScanner[27197]: New Batch: Scanning 1 messages, 1281 bytes
Nov 11 09:49:02 mail MailScanner[27197]: Virus and Content Scanning: Starting
Nov 11 09:49:09 mail MailScanner[27197]: Delivery of nonspam: message 1VfnB6-00076E-DC from ci at holmco.de to ci at holmco.de with subject  eicar
Nov 11 09:49:09 mail MailScanner[27197]: Uninfected: Delivered 1 messages
Nov 11 09:49:09 mail MailScanner[27197]: Deleted 1 messages from processing-database

exim mainlog:

2013-11-11 09:49:00 1VfnB6-00076E-DC <= ci at holmco.de H=(xxx.domain.tld) [IP] P=esmtp S=907 id=20131111084900.GB19422 at xxx.domain.tld T="eicar" from <ci at holmco.de> for ci at holmco.de
2013-11-11 09:49:10 1VfnB6-00076E-DC => ci <ci at holmco.de> F=<ci at holmco.de> R=procmail T=procmail_pipe S=1351 QT=10s DT=1s
2013-11-11 09:49:10 1VfnB6-00076E-DC Completed QT=10s


Sophos mails the administrator that it has detected a virus:
------------------------------------------------------------------------
A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/27197/1VfnB6-00076E-DC/neicar.txt is infected with EICAR-AV-Test.
------------------------------------------------------------------------

But mailscanner delivers the mail stating it's "uninfected".
What is going wrong?


Greetings,
-- 
R. Cirksena