esets false positive

Nerijus Baliunas nerijus at users.sourceforge.net
Tue Dec 4 12:58:21 UTC 2018


Hello,

I've got another similar problem. When scanning manually:

name="message", threat="", action="", info="error reading archive"
name="message » MIME » noname", threat="", action="", info="error reading archive"
name="message » MIME » noname » TNEF » attachment.bin", threat="", action="", info="error reading archive"

Could you please apply the following patch:

--- SweepViruses.pm.orig        2018-10-26 13:46:13.000000000 +0300
+++ SweepViruses.pm     2018-12-04 14:56:24.659909451 +0200
@@ -1915,6 +1915,9 @@
   # archive damaged
   return 0 if $line =~ m/archive damaged/i;

+  # error reading archive
+  return 0 if $line =~ m/error reading archive/i;
+
   my ($a, $b, $c, $d) = split(/,/, $line);
   my ($filename) = $a =~ m/\"(.*)\"/;
   my ($threat) = $b =~ m/\"(.*)\"/;

?

Thanks,
Nerijus

On Fri, 12 Oct 2018 15:31:43 +0300 Nerijus Baliunas <nerijus at users.sourceforge.net> wrote:

> I got the file. Here is the output of a virus:
> 
> # /opt/eset/esets/sbin/esets_scan .
> ...
> name="./eicar", threat="Eicar test file", action="cleaned by deleting", info=""
> ...
> # echo $?
> 1
> 
> Output of false positive:
> 
> # /opt/eset/esets/sbin/esets_scan .
> ...
> name="./test.zip", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip » ZIP » ", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip", threat="", action="", info="archive damaged"
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip » ZIP » ", threat="", action="", info="archive damaged"
> ...
> # echo $?
> 10
> 
> Archives are OK, I can view/extract them, so it is most probably a bug in esets scanner itself.
> Empty threat (threat="") with info="archive damaged" should probably be allowed.
> 
> On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner <mailscanner at lists.mailscanner.info> wrote:
> 
> > That is most likely the esets wrapper and SweepViruses.pm function failing
> > to parse the output of the virus scanner properly.
> > 
> > I would start there and run a manual scan based on the parameters in the
> > wrapper against a file that triggers the problem.  I would then take a look
> > at the ProcessEsetsOutput function and see if the regex in there make sense
> > for the output.
> > 
> > On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <
> > nerijus at users.sourceforge.net> wrote:
> > 
> > > Hello,
> > >
> > > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally
> > > it "detects" viruses in harmless files. For example:
> > >
> > > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages,
> > > 4623339 bytes
> > > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:
> > > Starting
> > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17
> > > infections
> > > Oct 11 11:55:26 mail MailScanner[3063]: Infected message
> > > 9231B2A14054.A15A2 came from 192.168.x.x
> > > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses
> > >
> > > While a real virus output looks like this:
> > > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages,
> > > 2104 bytes
> > > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:
> > > Starting
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3
> > > infections
> > > Oct 11 01:39:49 mail MailScanner[4184]: Infected message
> > > EF7F72A14053.A770C came from 5.2.x.x
> > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses
> > >
> > > How do I debug this?
> > >
> > > Regards,
> > > Nerijus



More information about the MailScanner mailing list