[Qmail-scanner-general]Anyone explain why QS would log the wrong uvscan version number?

Wed, 03 Sep 2003 18:27:03 -0700 

Hi,
  Something I noticed in our QS logs has been puzzling me. Hope someone
can explain this.
  I noticed uvscan pick up a trojan I had not seen before:

-----
03/09/2003 22:49:29:44920: --output of uvscan was:
Scanning /var/spool/qmailscan/iapetus.salford.ac.uk106262576942644920/*
Scanning file 
/var/spool/qmailscan/iapetus.salford.ac.uk106262576942644920/1062625769.44922-0.iapetus.salford.ac.uk
/var/spool/qmailscan/iapetus.salford.ac.uk106262576942644920/1062625769.44922-0.iapetus.salford.ac.uk
        Found trojan or variant Exploit-ODREV !!!
        Please send a copy of the file to Network Associates

...

03/09/2003 22:49:29:44920: w_v_r: writing quarantine log report of:
03/09/2003 22:49:29 [EMAIL PROTECTED]       [EMAIL PROTECTED]        Whats been 
happening?    trojan or variant Exploit-ODREV !!!    uvscan: v4.2.40/v4290. 
spamassassin: 2.55.

03/09/2003 22:49:29:44920: e_v_r: email_quarantine_report took 0.061346 seconds to 
execute
03/09/2003 22:49:29:44920: qmail-scanner[44920]: UVSCAN:_trojan_or_varia 0.353022 1276 
[EMAIL PROTECTED] [EMAIL PROTECTED] Whats_been_happening? <[EMAIL PROTECTED]> 
1062625769.44922-0.iapetus.salford.ac.uk:325
-----

I've tested uvscan from the command line and it fails to pick this virus
up with the 4290 dat files, only with the 4291 files.
  Our update script pickied up 4291 at 2100 GMT+1 yesterday.
  I noticed that we had several variants of this email earlier in the day,
but they were not picked up. Makes sense as earlier in the day we had the
4290 dat files and they don't detect it. If I now check the pre-2100
emails with uvscan 4291 the trojan is detected. Not of course with the
4290 files.
  However, why does QS show above that it used the 4290 dat files with
uvscan to detect this virus? That cannot be correct. Where did it pickup
this version string from? Looking at the QS script it calls "uvscan
--version" everytime it runs to get the version.
  Anyone work what happened here?
  I just can't work it out. Maybe it's too late here.
  Cheers.

-- 
Mark Powell - UNIX System Administrator - The University of Salford
Information Services Division, Clifford Whitworth Building,
Salford University, Manchester, M5 4WT, UK.
Tel: +44 161 295 4837  Fax: +44 161 295 5888  www.pgp.com for PGP key


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to