Mailscanner / Sophos does not block viruses

ci at holmco.de ci at holmco.de
Fri Nov 15 07:44:54 GMT 2013 

On Thu, Nov 14, 2013 at 05:47:04PM -0800 you wrote:

> Based on what you've previously posted, MailScanner invoked sophos and
> sophos saw the infection. We know this because sophos emailed the admin
> about the infection.
> 
> The problem is MailScanner is not getting or recognizing the report from
> sophos.

Yes. 

> MailScanner looks for various specific patterns on the output from
> sophos. See sub ProcessSophosOutput at about line 1764 in
> /usr/lib/MailScanner/MailScanner/SweepViruses.pm

That is part of the solution. Someone (not me!) set locale to German.
I corrected that now.
To be sure I added "export LC_ALL=en_GB" at the beginning of
/etc/MailScanner/wrapper/sophos-wrapper.

> What version of sophos do you have?

Product version           : 4.94.0
Engine version            : 3.48.0
Virus data version        : 4.95
User interface version    : 2.03.048
Platform                  : Linux/Intel
Released                  : 13 November 2013
Total viruses (with IDEs) : 5980697

> What output do you get if you manually run sophos on an infected file?

from "savscan eicar.txt":

(...long list of .ide...)
Verwende IDE Datei age-aess.ide
Verwende IDE Datei age-aest.ide
Verwende IDE Datei vb-gwy.ide

Normale Überprüfung

>>> Virus 'EICAR-AV-Test' gefunden in Datei /usr/local/src/eicar.txt

1 Datei überprüft in 6 Sekunden.
1 Virus wurde gefunden.
1 Datei von 1 war infiziert.
Wenn Sie weitere Unterstützung zu Erkennungen benötigen, rufen Sie bitte unser
Threat Center unter http://www.sophos.com/de-de/threat-center.aspx auf.
Ende von Scan.

After changing locale (see above) it is:

(...long list of .ide...)
Using IDE file age-aesq.ide
Using IDE file age-aess.ide
Using IDE file age-aest.ide
Using IDE file vb-gwy.ide

Quick Scanning

>>> Virus 'EICAR-AV-Test' found in file eicar.txt

1 file scanned in 6 seconds.
1 virus was discovered.
1 file out of 1 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: http://www.sophos.com/en-us/threat-center.aspx
End of Scan.

Seems that the problem is solved. Thank you and greetings from Berlin
to San Francisco.


-- 
R. Cirksena

More information about the MailScanner mailing list