efa-project.org

Even though viruses are being caught by clamd and show as such in the messages log, they are still getting through and don't show as having a virus in the efa GUI. For example:

Sanesecurity.Malware.24819.MacroHeurGen.Hp.UNOFFICIAL FOUND

but the email went through. As a result we are getting lots of doc's containing viruses. Has anyone got any idea what could be causing this?

Thanks.

What happens when you run a MailScanner Lint test?

Hi,

here's the output:

Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1000 hostnames from the phishing whitelist
Read 13178 hostnames from the phishing blacklists
Config: calling custom init function SQLBlacklist
Starting up SQL Blacklist
Read 6936 blacklist entries
Config: calling custom init function MailWatchLogging
Started SQL Logging child
Config: calling custom init function SQLWhitelist
Starting up SQL Whitelist
Read 9049 whitelist entries

Checking version numbers...
Version number in MailScanner.conf (4.84.6) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (89)
MailScanner setting UID to (89)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd"
Found these virus scanners installed: clamavmodule, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamavmodule,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function SQLBlacklist
Closing down by-domain spam blacklist
Config: calling custom end function MailWatchLogging
Config: calling custom end function SQLWhitelist
Closing down by-domain spam whitelist

Thank you for taking the time to look!

Mailscanner lint is good.

What is your setting of "Deliver Cleaned Messages" in /etc/MailScanner/MailScanner.conf ?

The value is:

No


Here's an excerpt of the messages log file showing the behaviour:

Dec 7 08:44:09 mail5 MailScanner[5263]: New Batch: Found 3 messages waiting
Dec 7 08:44:09 mail5 MailScanner[5263]: New Batch: Scanning 1 messages, 25069 bytes
Dec 7 08:44:09 mail5 MailScanner[5263]: Virus and Content Scanning: Starting
Dec 7 08:44:09 mail5 MailScanner[5263]: Clamd::INFECTED::Sanesecurity.Junk.49491.UNOFFICIAL :: ./41C0C1236E2.A8A1A/
Dec 7 08:44:09 mail5 MailScanner[5263]: Found spam-virus Sanesecurity.Junk.49491.UNOFFICIAL in 41C0C1236E2.A8A1A
Dec 7 08:44:09 mail5 MailScanner[5263]: Found spam-virus Sanesecurity.Junk.49491.UNOFFICIAL in 41C0C1236E2.A8A1A
Dec 7 08:44:09 mail5 MailScanner[5263]: <A> tag found in message 41C0C1236E2.A8A1A from cabrera_tom@denpoldesign.com
Dec 7 08:44:09 mail5 MailScanner[5263]: HTML Img tag found in message 41C0C1236E2.A8A1A from cabrera_tom@denpoldesign.com
Dec 7 08:44:09 mail5 MailScanner[5263]: Spam Checks: Starting
Dec 7 08:44:25 mail5 MailScanner[5263]: Requeue: 41C0C1236E2.A8A1A to 893931236E9
Dec 7 08:44:25 mail5 MailScanner[5263]: Uninfected: Delivered 1 messages


I have taken the entry "Sane*UNOFFICIAL" out of "Virus Names Which Are Spam" and EFA is now picking up emails with viruses (none were being flagged before). Is there any downside to this?

Thanks.

Well, that will treat all Sane signatures as a virus, even if it is not really a virus. So, not really a downside, as long as you know what it is doing.