Are you running clamd or clamscan? If clamd look in the clamd log. Or look at the options when calling clamscan.
-----Original Message----- From: McKeever Chris [mailto:[EMAIL PROTECTED] Sent: Friday, December 05, 2003 3:27 PM To: [EMAIL PROTECTED]; Jason Staudenmayer Subject: RE: [Qmail-scanner-general]missing occasional virus - log results On Fri, 5 Dec 2003 13:22 , Jason Staudenmayer <[EMAIL PROTECTED]> sent: >Are these virii in ZIP files?? If so the zip maybe password protected. If so >update your quar-attachments.db with the file name like so: >Wendy.zip 0 Mimail.M >Tabs not spaces and this will block anyfile named wendy.zip by the by this >is the new mimail.m. Then run 'qmail-sscanner.pl -g' > no, these arent zipped, the other copy of clamscan finds them (same version 0.65 same setup), they just slip right by...2 per day is what it seems like This is what the second clamscan finds on the next machine: Virus Exploit.IFrame.Gen detected Thanks for the response >-----Original Message----- >From: McKeever Chris [EMAIL PROTECTED]','','','')">[EMAIL PROTECTED] >Sent: Friday, December 05, 2003 1:13 PM >To: [EMAIL PROTECTED]; Jason Haar >Subject: Re: [Qmail-scanner-general]missing occasional virus - log results > > >LOG RESULTS below > >thanks for your help! > > >On Thu, 04 Dec 2003 09:52 , Jason Haar [EMAIL PROTECTED]> sent: > >>On Thu, 2003-12-04 at 04:03, McKeever Chris wrote: >>> I am running qmail-scanner with clamav (0.65) >>> I have one machine that acts as a gateway, and then sends it to the main >email server. >>> The gateway is the one with qmailscanner and clamav, the email servers >post-MTA (@mail) has a plugin for clamav which scans the file >before >>> databsing it. >>> >>> I have noticed since 11/4/03 that there are about 2-4 emails per day that >get by the gateway and picked up by the @mail-clamav scan >>> any suggestions? They are typically Exploit.IFrame.Gen and 1 >W32/Yaha.g.dam >>> >> >>Are you running clamscan or clamdscan? (i.e. the daemon version). I bet >>it's the latter. >> >>Do you have the qmail-queue.log debug file that contains evidence of >>such a "missed" message? If not, turn it on and don't stop logging until >>you catch another such occurance. Then you can search that file looking >>for the particular message that "slipped through". At that stage you may >>see why it failed. I'd suspect a bug whereby clamd failed to scan the >>message for some transitory reason, but still exited with a zero error >>status - so Qmail-Scanner can only assume it's OK and carried on. >> >>Let us know what you find. >> > >Here is the log of the missed virus, clamscan seems to be returning nothing. >any ideas? > > >Fri, 05 Dec 2003 05:25:51 -0600:4197: from="Net Delivery Service" >[EMAIL PROTECTED]>,subj=Letter, x-qmail-scanner-message- >[EMAIL PROTECTED]> (added by [EMAIL PROTECTED]) via >SMTP from 212.216.176.223 >Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: start scanning >Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: recursively scan the directory >/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197/ >Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: starting scan of directory >"/var/spool/qmailscan/tmp/prupref- >mailgate10706235514614197"... >Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: >scanner=clamscan_scanner,plain_text_msg=0 >Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: starting scan of directory >"/var/spool/qmailscan/tmp/prupref- >mailgate10706235514614197"... >Fri, 05 Dec 2003 05:25:51 -0600:4197: run /usr/local/bin/clamscan -r >--disable-summary --max-recursion=10 --max- >space=1000000 /var/spool/qmailscan/tmp/prupref-mailgate10706235514614197 >2>&1 >Fri, 05 Dec 2003 05:25:51 -0600:4197: --output of clamscan was: >-- >Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: finished scan of dir >"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in >0.707525 secs >Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: finished scan of >"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"... >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: starting scan of directory >"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"... >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.chm' = '0' = 'CHM files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.exe' = '0' = 'EXE files need >to be zipped for delivery' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.hlp' = '0' = 'HLP files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.hta' = '0' = 'HTA files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.lnk' = '0' = 'LNK files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.mp3' = '0' = 'MP3 files need >to be zipped for delivery' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.mpg' = '0' = 'MPG files need >to be zipped for delivery' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.pif' = '0' = 'PIF files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.reg' = '0' = 'REG files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.scr' = '0' = 'SCR files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.shs' = '0' = 'SHS files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.vbe' = '0' = 'VBE files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.vbs' = '0' = 'VBS files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.wsf' = '0' = 'WSF files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.wsh' = '0' = 'WSH files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '.xla' = '0' = 'XLA files not >allowed per Company security policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '81:ILOVEYOU' = 'Virus-subject' >= 'Love Letter Virus/Trojan' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >subject: ILOVEYOU >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '82:message/partial' = >'Virus-content-type' = 'Message/partial MIME attachments blocked by >policy' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >content-type: message/partial >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '83:[EMAIL PROTECTED]' = >'Virus-MAILFROM' = 'unknown user - mail has been deferred' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >MAILFROM: [EMAIL PROTECTED] >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '86:.{100,}' = 'Virus-date' = >'MIME Header Buffer Overflow' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >date: .{100,} >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '87:.{100,}' = >'Virus-mime-version' = 'MIME Header Buffer Overflow ' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >mime-version: .{100,} >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: '88:.{100,}' = >'Virus-resent-date' = 'MIME Header Buffer Overflow' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >resent-date: .{100,} >Fri, 05 Dec 2003 05:25:51 -0600:4197: >p_s: >'91:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] . >com|[EMAIL PROTECTED]|[EMAIL PROTECTED] >port.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|S_Menti s >@mail-x- >change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|OZUNYLRL@ e >xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED] >net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a header! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking for objects containing >to: >[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] | >[EMAIL PROTECTED]|[EMAIL PROTECTED]| >[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED] >change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|OZUNYLRL@ e >xcite.com|[EMAIL PROTECTED]|[EMAIL PROTECTED] >net|[EMAIL PROTECTED] >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'eicar.com' = '69' = 'EICAR Test >Virus' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'happy99.exe' = '10000' = >'Happy99 Trojan' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: 'zipped_files.exe' = '120495' = >'W32/ExploreZip.worm.pak virus' >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size! >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: skipping auto-generated file >1070623553.4199-0.prupref-mailgate >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against >perlscanner database... >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to >hranc.bat and has extension .bat >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size >106496,239549) against perlscanner database >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking dd89999fbfa39541 against >perlscanner database... >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file dd89999fbfa39541 is >lowercased to dd89999fbfa39541 and has extension >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare dd89999fbfa39541 (size >4096,303407) against perlscanner database >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against >perlscanner database... >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to >hranc.bat and has extension .bat >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size >106496,239549) against perlscanner database >Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: finished scan of dir >"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in >0.015334 secs >Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: scanning message took 0.724035 >seconds >Fri, 05 Dec 2003 05:25:51 -0600:4197: q_r: fork off child into >/var/qmail/bin/qmail-queue-bin... >Fri, 05 Dec 2003 05:25:51 -0600:4203: q_r: xstatus=0 >Fri, 05 Dec 2003 05:25:51 -0600:4197: cleanup: /bin/rm -rf >/var/spool/qmailscan/tmp/prupref- >mailgate10706235514614197/ >/var/spool/qmailscan/working/new/prupref-mailgate10706235514614197 >05/12/2003 05:25:54:4197: all finished. Total of 2.198306 secs >Fri, 05 Dec 2003 05:25:55 -0600:4208: +++ starting debugging for process >4208 by uid=502 at Fri, 05 Dec 2003 05:25:55 -0600 >Fri, 05 Dec 2003 05:25:55 -0600:4208: setting UID to EUID so subprocesses >can access files generated by this script >Fri, 05 Dec 2003 05:25:55 -0600:4208: program name is qmail-queue, version >1.20 >Fri, 05 Dec 2003 05:25:55 -0600:4208: incoming SMTP connection from via SMTP >from 66.28.114.190 >Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: mkdir >/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208 >Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: start dumping incoming msg into >/var/spool/qmailscan/working/tmp/prupref- >mailgate10706235554614208 [1070623555.64228] >Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: primary Content-Type of >text/plain found >Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: rename new msg from >/var/spool/qmailscan/working/tmp/prupref-mailgate10706235554614208 >to /var/spool/qmailscan/working/new/prupref-mailgate10706235554614208 >[1070623555.64666] >Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: starting /usr/local/bin/reformime >-x/var/spool/qmailscan/tmp/prupref- >mailgate10706235554614208/ > >[1070623555.64737] >Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: finished /usr/local/bin/reformime >-x/var/spool/qmailscan/tmp/prupref- >mailgate10706235554614208/ [1070623555.66339] >Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: Checking all attachments to see >if they're MS-TNEF >Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: is >/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/1070623555.4210- 0 >.prupref- >mailgate is a TNEF file?: 256 [1070623555.66951] >Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: unpacking message took 0.022649 >seconds >Fri, 05 Dec 2003 05:25:55 -0600:4208: unsetting QMAILQUEUE env var > > >Then notice that the second scanner had found it, you can see the >notification message come back through the gateway (these are all the >same log files) > >Fri, 05 Dec 2003 05:25:55 -0600:4208: >[EMAIL PROTECTED]>,subj=Virus Exploit.IFrame.Gen detected in >mail, x-qmail-scanner- >[EMAIL PROTECTED]> via SMTP from >66.28.114.190 >Fri, 05 Dec 2003 05:25:55 -0600:4208: This is a PLAIN text message (because >it's either not mime, or is text/plain), skip virus scanners - but >not SA >Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: start scanning >Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: recursively scan the directory >/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/ >Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: starting scan of directory >"/var/spool/qmailscan/tmp/prupref- >mailgate10706235554614208"... >Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: >scanner=clamscan_scanner,plain_text_msg=1 >Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: finished scan of >"/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208"... > > > > ------------------------------------------- Chris McKeever If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com http://www.prupref.com ---- Prudential Preferred Properties www.prupref.com ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
