Update. The logwatch report contains a whole section of MailScanner information. Within the MailScanner section, there is a "Phishing report". It seems that the items produced within the Phishing report are matching signatures within RB-2041. As a workaround, I can either delete the Phishing report or configure MailScanner to not produce this level of logging. My preference is to keep the Phishing report and configure ClamAV to allow this item to be "whitelisted" or something similar.
If anybody has some suggestions for me, I would be most grateful. b7753361 wrote: > > Seeking guidance. My MTA is running Mailscanner 4.65.3 (with sendmail) > and ClamAV v0.91.2. The ClamAV was updated yesterday because I was a > dot-release behind. Before upgrading clamav, clamd, and clamav-db the > solution had been running rock-solid for over a year, but since upgrading > during the holiday, I have discovered that my logwatch report gets marked > as a virus (all other MTA activity seems to be working as expected). > > When the output from /etc/cron.daily/0logwatch job is emailed to me, I get > the following message (the only item I've changed is the name "company" > was put in place of the real domain); > > The following e-mails were found to have: Virus Detected > > Sender: [EMAIL PROTECTED] IP Address: 127.0.0.1 > Recipient: [EMAIL PROTECTED] > Subject: Logwatch for mail2.company.com (Linux) > MessageID: lANHFDnR007319 > Quarantine: > Report: ClamAVModule: message was infected: Email.Phishing.RB-2041 > > Full headers are: > > Return-Path: <g> > Received: from mail2.company.com (localhost.localdomain [127.0.0.1]) > by mail2.company.com (8.13.1/8.13.1) with ESMTP id lANHFDnR007319 > for <[EMAIL PROTECTED]>; Fri, 23 Nov 2007 10:15:13 -0700 > Full-Name: root > Received: (from [EMAIL PROTECTED]) > by mail2.company.com (8.13.1/8.13.1/Submit) id lANHE6jd006772; > Fri, 23 Nov 2007 10:14:06 -0700 > Date: Fri, 23 Nov 2007 10:14:06 -0700 > Message-Id: <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > From: [EMAIL PROTECTED] > Subject: Logwatch for mail2.company.com (Linux) > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="iso-8859-1" > > > I've been banging my head on this one and I cannot seem to put a finger on > what changed to cause the logwatch report to get marked as a virus. > Output from other scheduled jobs are producing output which is > successfully being delivered to root and not being marked as a virus. For > some reason, something in the logwatch output seems to be matching a > signiature within RB-2041. This is the point at which I get stuck :-( > > Any help in pointing me in the direction where I can do a better job to > troubleshoot this is most welcome. > > Right now my brain is stuck in a re-boot cycle. > > -B > > -- View this message in context: http://www.nabble.com/false-positive---logwatch-report-marked-as-virus-RB-2041-tf4863262.html#a13937664 Sent from the clamav-users mailing list archive at Nabble.com. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
