This problem is due to RAV outputing multiple lines with the string "Infected:"
example RAV output: /path/->(part0001:)->(IFRAME0000) Infected: HTML/IFrame_Exploit* /path/->(part0002:Foo.DOC.pif) Infected: Win32/[EMAIL PROTECTED] /path/->(part0001:Foo.doc.lnk) Infected: Win32/[EMAIL PROTECTED]
Infected: 9. Different virus bodies: 4.
The sub-ravlin.pl routine is looking for the string "Infected" and -is- finding that string in your scan's summary output:
Infected: 0. Different virus bodies: 0.
Since the match -was- successful, it reports it as containing a virus.
Its not a legitimate match since there was no infection found, but it satisfies the pattern match just fine.
HACK/WORKAROUND for this specific case with RAV 8.3.1 (not sure how it affects other versions of RAV)
change sub_ravlin.pl
from: if ($DD =~ /Infected: (.*)/) {
to: if ($DD =~ / Infected: (.*)/) {
which should stop the match on the summary line that has no space before the string.
or
to: if ($DD =~ /Infected: (.*)/ && $DD !~ /^Infected: (.*)/) {
which should stop the match on the summary line since it'll ignore lines that start with "Infected:"
(reconfigure Q-S after edits)
Seems to be getting quite challenging keeping up with all the changes in output for all the various AV's out there.
--
Doug Monroe
Payal Rathod wrote:
Hi, I have installed, qmail-scanner 1.16 RAV 8.3.1 clamscan 0.60 qmail 1.03
Now qmail-scanner is giving false alarms over simple sessions like this.
[EMAIL PROTECTED] root]# telnet 127.0.0.1 25 Trying 127.0.0.1... Connected to linux (127.0.0.1). Escape character is '^]'. 220 linux.local ESMTP mail from: <test> 250 ok rcpt to: <rp> 250 ok data 354 go ahead Subject: False Alarm.
. 250 ok 1057066737 qp 4211 quit 221 linux.local Connection closed by foreign host.
The mail is not delivered to user rp but a notification is given to admin user p1. I am pasting the mail to admin below for reference.
User rp does not receive any mail.
I had reinstalled rav quite a few times in last 2-3 days and compiled qmail-scanner many times too usually with,
# ./configure --log-details yes --add-dscr-hdrs all
Is there any problem with virus scanner RAV or qmail-scanner?
Return-Path: <> Delivered-To: [EMAIL PROTECTED] Received: (qmail 4228 invoked by alias); 1 Jul 2003 13:38:57 -0000 Delivered-To: [EMAIL PROTECTED] Received: (qmail 4220 invoked by uid 510); 1 Jul 2003 13:38:57 -0000 Date: 1 Jul 2003 13:38:57 -0000 From: "System Anti-Virus Administrator" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: virus found in sent message "False Alarm." Message-ID: <[EMAIL PROTECTED]> X-Tnz-Problem-Type: 40 MIME-Version: 1.0 Content-type: text/plain X-Qmail-Scanner-Mail-From: test via linux.local X-Qmail-Scanner-Rcpt-To: rp X-Qmail-Scanner: 1.16 (ravlin: 8.3.1. clamscan: 0.60. virus Found. Processed in 7.770939 secs)
Attention: test
A virus was found in an Email message you sent.
) This Email scanner intercepted it and stopped the entire message reaching its destination.
The virus was reported to be:
0. Different virus bodies: 0.
Please update your virus scanner or contact your IT support personnel as soon as possible as you have a virus on your system.
Your message was sent with the following envelope:
MAIL FROM: test RCPT TO: rp
... and with the following headers:
--- MAILFROM: test Received: from unknown (127.0.0.1) by 127.0.0.1 with SMTP; 1 Jul 2003 13:38:48 -0000 ) Subject: False Alarm.
---
The original message is kept in:
linux.local:/var/spool/qmailscan/quarantine
where the System Anti-Virus Administrator can further diagnose it.
The Email scanner reported the following when it scanned that message:
---
How do I fix this thing? Thanks a lot and looking for more info on this. With warm regards, -Payal
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
