Mailscanner passing a virus

Thu Dec 19 21:44:53 UTC 2019

On Thursday 19 December 2019 at 22:35:00, William D. Colburn wrote:

> On Thu, Dec 19, 2019 at 10:18:24PM +0100, Antony Stone wrote:
> >Did the same thing appear for the initial delivery to the "user"?
> 
> We have three border mailscanners, and only my mailscanner is detecting
> the virus.  The original came through one of the others and passed into
> exchange.  It looks like the virus definition came shortly after it was
> arrived.  So, the answer is no.

So, that sounds like the virus arrived with your user before Sophos had 
updated their scanner detection library for it.

By the time you tested, they *had* updated their library.

> >Presumably this *does* happen when you send something such as EICAR into
> >the same address?
> 
> I haven't tried an EICAR, but we get lots of viruses, and I see lots of
> {VIRUS?} tags in the procmail logs for the server, and I verified that a
> mail seen as a virus in the maillogs was tagged as a virus in the
> subject.  So that is working in general.

Okay, so, working in general, but not for this one...

> >Show us your MailScanner config file, and tell us how MailScanner is
> >connected in to your mail delivery system, as a start.
> 
> I'll attach the mailscanner.conf

I assume it's the same on all three servers.

I also expect that if you send the same email (with the same viral attachment) 
to the same user who originally received it, it'll now get detected and 
blocked.

If not, please post the headers of the email they do receive so we can see how 
MS processed it.

Antony,

-- 
Schrödinger's rule of data integrity: the condition of any backup is unknown 
until a restore is attempted.

                                                   Please reply to the list;
                                                         please *don't* CC me.