esets false positive

[Nerijus Baliunas]

I got the file. Here is the output of a virus:

# /opt/eset/esets/sbin/esets_scan .
...
name="./eicar", threat="Eicar test file", action="cleaned by deleting", info=""
...
# echo $?
1

Output of false positive:

# /opt/eset/esets/sbin/esets_scan .
...
name="./test.zip", threat="", action="", info="archive damaged"
name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip", threat="", action="", info="archive damaged"
name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip » ZIP » ", threat="", action="", info="archive damaged"
name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip", threat="", action="", info="archive damaged"
name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip » ZIP » ", threat="", action="", info="archive damaged"
...
# echo $?
10

Archives are OK, I can view/extract them, so it is most probably a bug in esets scanner itself.
Empty threat (threat="") with info="archive damaged" should probably be allowed.

On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner <mailscanner at lists.mailscanner.info> wrote:

> That is most likely the esets wrapper and SweepViruses.pm function failing
> to parse the output of the virus scanner properly.
> 
> I would start there and run a manual scan based on the parameters in the
> wrapper against a file that triggers the problem.  I would then take a look
> at the ProcessEsetsOutput function and see if the regex in there make sense
> for the output.
> 
> On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <
> nerijus at users.sourceforge.net> wrote:
> 
> > Hello,
> >
> > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally
> > it "detects" viruses in harmless files. For example:
> >
> > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages,
> > 4623339 bytes
> > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:
> > Starting
> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::
> > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17
> > infections
> > Oct 11 11:55:26 mail MailScanner[3063]: Infected message
> > 9231B2A14054.A15A2 came from 192.168.x.x
> > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses
> >
> > While a real virus output looks like this:
> > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages,
> > 2104 bytes
> > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:
> > Starting
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file
> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3
> > infections
> > Oct 11 01:39:49 mail MailScanner[4184]: Infected message
> > EF7F72A14053.A770C came from 5.2.x.x
> > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses
> >
> > How do I debug this?
> >
> > Regards,
> > Nerijus