esets false positive

Nerijus Baliunas nerijus at users.sourceforge.net
Thu Oct 11 13:26:09 UTC 2018


I don't have file, as I enabled Quarantine Silent Viruses = yes only now.
But the output in the postmaster "Virus Detected" email is:

    Report: Esets: found  in Rusta_Nofo_BabyWipes_REV1_10102018.zip >> ZIP >> __MACOSX 
            Esets Actions:  
            Esets Additional Info: none 
            
            Esets: found  in Rusta_Nofo_BabyWipes_REV1_10102018.zip >> ZIP >> __MACOSX 
            Esets Actions:  
            Esets Additional Info: none 
...

In earlier false positive message:

    Report: Esets: found  in 2018 09 27 UKININKO burokeliu dizainas spaudai 160 x 160 mm.cdr » ZIP » color 
            Esets Actions:  
            Esets Additional Info: none 

In real virus message:

    Report: Esets: found Eicar test file in eicar.co3.rar » RAR » eicar.co 
            Esets Actions: deleted 
            Esets Additional Info: none 
            
    Report: Esets: found Eicar test file in eicar.co3.rar 
            Esets Actions: deleted 
            Esets Additional Info: none 
            
            Esets: found Eicar test file in eicar.co 
            Esets Actions: cleaned by deleting 
            Esets Additional Info: none 

Regards,
Nerijus

On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner <mailscanner at lists.mailscanner.info> wrote:

> That is most likely the esets wrapper and SweepViruses.pm function failing
> to parse the output of the virus scanner properly.
> 
> I would start there and run a manual scan based on the parameters in the
> wrapper against a file that triggers the problem.  I would then take a look
> at the ProcessEsetsOutput function and see if the regex in there make sense
> for the output.
> 
> On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <
> nerijus at users.sourceforge.net> wrote:
> 
> > Hello,
> >
> > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally
> > it "detects" viruses in harmless files. For example:
> >
> > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages,
> > 4623339 bytes
> > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:
> > Starting
> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17
> > infections
> > Oct 11 11:55:26 mail MailScanner[3063]: Infected message
> > 9231B2A14054.A15A2 came from 192.168.x.x
> > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses
> >
> > While a real virus output looks like this:
> > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages,
> > 2104 bytes
> > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:
> > Starting
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3
> > infections
> > Oct 11 01:39:49 mail MailScanner[4184]: Infected message
> > EF7F72A14053.A770C came from 5.2.x.x
> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses
> >
> > How do I debug this?
> >
> > Regards,
> > Nerijus
> >
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner



More information about the MailScanner mailing list