[Mimedefang] CLAMAV issues - Plexus.B flagged incorrectly?

Paul Murphy pmurphy at ionixpharma.com
Thu Jul 1 05:42:50 EDT 2004 

Hi,

Today we received a copy of Worm.Plexus.B in an e-mail, which was picked up by
Panda's desktop scanner in Outlook on a client machine.  Alarmed that this had
passed through MIMEDefang and also Panda's Exchange module, we investigated
further.

MIMEDefang had classified the message as clean, with a SPAM score of 5.06, and
had passed it through.  Clamav had however scanned the message and found the
virus, as shown by the entries in the Clamav log file:

Thu Jul  1 03:11:15 2004 ->
/var/spool/MIMEDefang/mdefang-i612BEuP025346/Work/INPUTMSG: Worm.Plexus.B FOUND

Concerned that something wasn't right, I changed my filter to debug the virus
scan code, and fired off a copy of the virus from my home system.  The filter
logging is in filter(), using:

md_syslog('debug', "Filter: $fname,$ext,$type, Virus=$FoundVirus");
if ($FoundVirus) {
        my($code, $category, $action);        
        $VirusScannerMessages = "";
        ($code, $category, $action) = entity_contains_virus($entity);
        md_syslog('debug', "Virus: $code, $category, $action,$VirusName");

The results are worrying:

Jul  1 10:21:32 adelie sm-mta[32342]: i619LRiB032342:
from=<root at gate.ousekjarr.org>, size=135509, class=0, nrcpts=1,
msgid=<E1BfYVq-0002gq-2j.2004-06-30-07-24-06 at tmailb1.svr.pol.co.uk>,
proto=ESMTP, daemon=MTA, relay=ousekjar.gotadsl.co.uk [62.3.237.151]
Jul  1 10:21:32 adelie mimedefang.pl[32288]: Filter: ,,text/plain, Virus=1
Jul  1 10:21:32 adelie mimedefang.pl[32288]: Virus: 0, ok, ok,Worm.Plexus.B
Jul  1 10:21:32 adelie mimedefang.pl[32288]: Filter: ,,text/html, Virus=1
Jul  1 10:21:32 adelie mimedefang.pl[32288]: Virus: 0, ok, ok,Worm.Plexus.B
Jul  1 10:21:45 adelie mimedefang.pl[32288]:
MDLOG,i619LRiB032342,mail_in,8.572,62.3.237.151,<root at gate.ousekjarr.org>,<pmurp
hy at ionixpharma.com>,Hi, my darling :)
Jul  1 10:21:45 adelie mimedefang.pl[32288]:
MDLOG,i619LRiB032342,poss.spam,8.572,62.3.237.151,<root at gate.ousekjarr.org>,<pmu
rphy at ionixpharma.com>,Hi, my darling :)
Jul  1 10:21:45 adelie sm-mta[32348]: i619LRiB032342:
to=<pmurphy at ionixpharma.com>, delay=00:00:18, xdelay=00:00:00, mailer=smtp,
pri=255509, relay=[10.10.10.2] [10.10.10.2], dsn=2.0.0, stat=Sent (
<E1BfYVq-0002gq-2j.2004-06-30-07-24-06 at tmailb1.svr.pol.co.uk> Queued mail for
delivery)

As you can see, $FoundVirus is set and $VirusName is also set correctly, but
entity_contains_virus() (and thus entity_contains_virus_clamd) is returning a
code of 0 and a category of "ok".

This is running on Debian/Testing, MIMEDefang 2.41, Clamav 0.72

Any idea what the problem is here?

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788


_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

More information about the MIMEDefang mailing list