Mailscanner / Sophos does not block viruses

ci at holmco.de ci at holmco.de
Thu Nov 14 09:08:09 GMT 2013


On Mon, Nov 11, 2013 at 10:04:19AM -0800 you wrote:

> Actually not. The above should look like (with sophos instead of Clamd)
> 
> ===========================================================================
> Filename Checks: Windows/DOS Executable (1 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
> Clamd::INFECTED::Eicar-Test-Signature :: ./1/
> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 2 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 2 viruses
> ===========================================================================
> Virus Scanner test reports:
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
> 
> If any of your virus scanners ...
> 
> It seems from your other posts that sophos is being properly invoked and
> detects the infection as it mails the admin about it, but the detection
> is not being picked up by MailScanner.
> 
> What do you have in the "Options specific to Sophos Anti-Virus" section
> of MailScanner.conf? In particular,
> 
> Allowed Sophos Error Messages =

I installed and activated clamav to see if it is an issue with
Mailscanner itself or with calling the virus scanner. In short:
clamav works, the attachment (eicar) has been removed from the
"infected" mail:

Part of MailScanner --lint:
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
./1/eicar.com: Eicar-Test-Signature FOUND

Virus Scanning: ClamAV found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================

mail.log:
------------------------------------------------------------------------
Nov 14 09:50:40 mail MailScanner[22738]: Virus and Content Scanning: Starting
Nov 14 09:50:54 mail MailScanner[22725]: ./1Vgsd5-0006tl-Ja/eicar.txt: Eicar-Test-Signature FOUND
Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: ClamAV found 1 infections
Nov 14 09:50:54 mail MailScanner[22725]: Infected message 1Vgsd5-0006tl-Ja came from xxx.xxx.xxx.xxx
Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: Found 1 viruses
Nov 14 09:50:54 mail MailScanner[22725]: Saved entire message to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja
Nov 14 09:50:55 mail MailScanner[22725]: Saved infected "eicar.txt" to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja
Nov 14 09:50:55 mail MailScanner[22725]: Delivery of nonspam: message 1Vgsd5-0006tl-Ja from ci at holmco.de to ci at holmco.de with subject  eicar
Nov 14 09:50:55 mail MailScanner[22725]: Cleaned: Delivered 1 cleaned messages
Nov 14 09:50:55 mail MailScanner[22725]: Notices: Warned about 1 messages
Nov 14 09:50:55 mail MailScanner[22725]: Deleted 1 messages from processing-database
------------------------------------------------------------------------

I hope its o.k. that just clamav scans the mail? Is it correct that,
as clamav did remove the attachment, sophos does not see the
infection?

What can I do to get Mailscanner working with sophos?


Greetings,
-- 
R. Cirksena 


More information about the MailScanner mailing list