esets false positive

Shawn Iverson iversons at rushville.k12.in.us
Mon Dec 10 13:15:25 UTC 2018 

Added patch for next release.

On Tue, Dec 4, 2018 at 8:08 AM Nerijus Baliunas <
nerijus at users.sourceforge.net> wrote:

> Hello,
>
> I've got another similar problem. When scanning manually:
>
> name="message", threat="", action="", info="error reading archive"
> name="message » MIME » noname", threat="", action="", info="error reading
> archive"
> name="message » MIME » noname » TNEF » attachment.bin", threat="",
> action="", info="error reading archive"
>
> Could you please apply the following patch:
>
> --- SweepViruses.pm.orig        2018-10-26 13:46:13.000000000 +0300
> +++ SweepViruses.pm     2018-12-04 14:56:24.659909451 +0200
> @@ -1915,6 +1915,9 @@
>    # archive damaged
>    return 0 if $line =~ m/archive damaged/i;
>
> +  # error reading archive
> +  return 0 if $line =~ m/error reading archive/i;
> +
>    my ($a, $b, $c, $d) = split(/,/, $line);
>    my ($filename) = $a =~ m/\"(.*)\"/;
>    my ($threat) = $b =~ m/\"(.*)\"/;
>
> ?
>
> Thanks,
> Nerijus
>
> On Fri, 12 Oct 2018 15:31:43 +0300 Nerijus Baliunas <
> nerijus at users.sourceforge.net> wrote:
>
> > I got the file. Here is the output of a virus:
> >
> > # /opt/eset/esets/sbin/esets_scan .
> > ...
> > name="./eicar", threat="Eicar test file", action="cleaned by deleting",
> info=""
> > ...
> > # echo $?
> > 1
> >
> > Output of false positive:
> >
> > # /opt/eset/esets/sbin/esets_scan .
> > ...
> > name="./test.zip", threat="", action="", info="archive damaged"
> > name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip",
> threat="", action="", info="archive damaged"
> > name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip » ZIP » ",
> threat="", action="", info="archive damaged"
> > name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip",
> threat="", action="", info="archive damaged"
> > name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip » ZIP
> » ", threat="", action="", info="archive damaged"
> > ...
> > # echo $?
> > 10
> >
> > Archives are OK, I can view/extract them, so it is most probably a bug
> in esets scanner itself.
> > Empty threat (threat="") with info="archive damaged" should probably be
> allowed.
> >
> > On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner <
> mailscanner at lists.mailscanner.info> wrote:
> >
> > > That is most likely the esets wrapper and SweepViruses.pm function
> failing
> > > to parse the output of the virus scanner properly.
> > >
> > > I would start there and run a manual scan based on the parameters in
> the
> > > wrapper against a file that triggers the problem.  I would then take a
> look
> > > at the ProcessEsetsOutput function and see if the regex in there make
> sense
> > > for the output.
> > >
> > > On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <
> > > nerijus at users.sourceforge.net> wrote:
> > >
> > > > Hello,
> > > >
> > > > I use latest mailscanner 5.1.1-1 with esets. It works OK, but
> occasionally
> > > > it "detects" viruses in harmless files. For example:
> > > >
> > > > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1
> messages,
> > > > 4623339 bytes
> > > > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:
> > > > Starting
> > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > > > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found
> 17
> > > > infections
> > > > Oct 11 11:55:26 mail MailScanner[3063]: Infected message
> > > > 9231B2A14054.A15A2 came from 192.168.x.x
> > > > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17
> viruses
> > > >
> > > > While a real virus output looks like this:
> > > > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1
> messages,
> > > > 2104 bytes
> > > > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:
> > > > Starting
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test
> file
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test
> file
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test
> file
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3
> > > > infections
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Infected message
> > > > EF7F72A14053.A770C came from 5.2.x.x
> > > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3
> viruses
> > > >
> > > > How do I debug this?
> > > >
> > > > Regards,
> > > > Nerijus
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20181210/81f4f3aa/attachment.html>

More information about the MailScanner mailing list