[Clamav-users] false positive - logwatch report marked as virus RB-2041

Sat, 24 Nov 2007 20:18:44 -0800 

Seeking guidance.  My MTA is running Mailscanner 4.65.3 (with sendmail) and
ClamAV v0.91.2.  The ClamAV was updated yesterday because I was a
dot-release behind.  Before upgrading clamav, clamd, and clamav-db the
solution had been running rock-solid for over a year, but since upgrading
during the holiday, I have discovered that my logwatch report gets marked as
a virus (all other MTA activity seems to be working as expected).  

When the output from /etc/cron.daily/0logwatch job is emailed to me, I get
the following message (the only item I've changed is the name "company" was
put in place of the real domain);

The following e-mails were found to have: Virus Detected

    Sender: [EMAIL PROTECTED] IP Address: 127.0.0.1
 Recipient: [EMAIL PROTECTED]
   Subject: Logwatch for mail2.company.com (Linux)
 MessageID: lANHFDnR007319
Quarantine: 
    Report: ClamAVModule:  message was infected: Email.Phishing.RB-2041

Full headers are:

 Return-Path: <g>
 Received: from mail2.company.com (localhost.localdomain [127.0.0.1])
        by mail2.company.com (8.13.1/8.13.1) with ESMTP id lANHFDnR007319
        for <[EMAIL PROTECTED]>; Fri, 23 Nov 2007 10:15:13 -0700
 Full-Name: root
 Received: (from [EMAIL PROTECTED])
        by mail2.company.com (8.13.1/8.13.1/Submit) id lANHE6jd006772;
        Fri, 23 Nov 2007 10:14:06 -0700
 Date: Fri, 23 Nov 2007 10:14:06 -0700
 Message-Id: <[EMAIL PROTECTED]>
 To: [EMAIL PROTECTED]
 From: [EMAIL PROTECTED]
 Subject: Logwatch for mail2.company.com (Linux)
 MIME-Version: 1.0
 Content-Transfer-Encoding: 7bit
 Content-Type: text/plain; charset="iso-8859-1"


I've been banging my head on this one and I cannot seem to put a finger on
what changed to cause the logwatch report to get marked as a virus.  Output
from other scheduled jobs are producing output which is successfully being
delivered to root and not being marked as a virus.  For some reason,
something in the logwatch output seems to be matching a signiature within
RB-2041.  This is the point at which I get stuck :-(

Any help in pointing me in the direction where I can do a better job to
troubleshoot this is most welcome.  

Right now my brain is stuck in a re-boot cycle.

-B

-- 
View this message in context: 
http://www.nabble.com/false-positive---logwatch-report-marked-as-virus-RB-2041-tf4863262.html#a13917052
Sent from the clamav-users mailing list archive at Nabble.com.

_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to