clamwin, eicar and archive again

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
FAWTS
Normal user
Normal user
Posts: 74
Joined: 2005-06-18 15:25
Location: Paris
Contact:

clamwin, eicar and archive again

Post by FAWTS » 2005-06-19 02:30

First, I got the famous "50" error, but after having read the forum, it works, nearly.

eicar.com is recognise and everything's ok,

But eicarcom2.zip pass the scan without any problem while is in attached file.
Clamwin return 0

When I scan manualy the file, clamwin return 1.

I have the latest stable versions of clamwin and hMailServer so the problem doesn't come from that and my OS is win XP SP2.

If somebody has the solution, or, at least, an explaination!!!

Thank's a lot

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-19 18:53

Isn't it a pass protected zip-archive?
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

User avatar
FAWTS
Normal user
Normal user
Posts: 74
Joined: 2005-06-18 15:25
Location: Paris
Contact:

Post by FAWTS » 2005-06-19 23:37

No, it is the archive distributed by eicar website and when I scan manualy, the virus is detected.

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-20 08:05

I had the same problem with clamwin. So i installed clamav (http://www.sosdg.com). This version scans archives. Settings for the sosdg version are in the forum.

Maybe clamwin does it to, but you have to add a switch, but if you say when i scan manually it works i doubt it.
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

cmurphy54
Senior user
Senior user
Posts: 550
Joined: 2004-09-25 22:11
Location: Atlanta, GA
Contact:

Post by cmurphy54 » 2005-06-20 15:32

My ClamWin properly identifies the eicarcom2.zip using hMailServer v4 (never tested when I had 3.4), ClamWin 0.85.1 and Windows Server 2003.

I'm not sure what your problem is that would prevent it from working from within hMailServer as I believe you actually have to add "--no-archive" to disable archive support.

User avatar
FAWTS
Normal user
Normal user
Posts: 74
Joined: 2005-06-18 15:25
Location: Paris
Contact:

Post by FAWTS » 2005-06-20 19:22

I have reinstalles clamwin without touching the configuration, and it works perfectly!!!!!

Thanks a lot!

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-22 22:05

ClamWin did not catch any of virus. i'm using the current ClamWin and i did a test from this site

http://www.webmail.us/testvirus?co=&ema ... =27&auth=0

all the virus went throught some got caught as spam by ASSP.

i'm using Windows 2003 Web edition with hmail 3.4.1-b86.

cmurphy54
Senior user
Senior user
Posts: 550
Joined: 2004-09-25 22:11
Location: Atlanta, GA
Contact:

Post by cmurphy54 » 2005-06-22 22:14

Then you have probably misconfigured something. Turn on logging and see what hMailServer says when it attempts to scan the email.

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-22 22:39

cmurphy54 wrote:Then you have probably misconfigured something. Turn on logging and see what hMailServer says when it attempts to scan the email.
i've remove Clamwin 0.85 and reinstall ClamWin 0.86

am i suppose to look at error log or hmail log? i also have f-prot installed to protect the server in real time and use ClamWin to detect email virus. will two AV cause any conflict? i only configure ClamWin to detect virus and no external AV have set.

btw, when i click on use ClamWin then auto detect, it didn't detect anything so i open ClamWin and file location and copy n paste the clam.exe and db file path onto hmail.

since i can't do virus test from the above url. it limited test per one day so i'll try again tomrrow and report back.

cmurphy54
Senior user
Senior user
Posts: 550
Joined: 2004-09-25 22:11
Location: Atlanta, GA
Contact:

Post by cmurphy54 » 2005-06-23 00:31

am i suppose to look at error log or hmail log?
The hmail log
i also have f-prot installed to protect the server in real time and use ClamWin to detect email virus. will two AV cause any conflict?
They can kind of step on each others toes. F-prot could catch the virus before it gets scanned by ClamWin. Are you actually receiving the eicar attachment in your mailbox?
btw, when i click on use ClamWin then auto detect, it didn't detect anything so i open ClamWin and file location and copy n paste the clam.exe and db file path onto hmail.
It is strange the hmailserver couldn't auto-detect ClamWin. Copying and pasting should probably work, but that does point to something being a little weird about your installation I think. If you run clamscan manually, can it catch the eicar virus? Have you set it up to update it's virus signature files automatically?
since i can't do virus test from the above url. it limited test per one day so i'll try again tomrrow and report back.
You can download the eicar tests from here and then simply mail the attachment to yourself to test. No need to use that service.

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-23 10:40

since i can't do virus test from the above url. it limited test per one day so i'll try again tomrrow and report back.
Try this url http://www.aleph-tec.com/eicar/index.php
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-23 19:52

cmurphy54 wrote:
am i suppose to look at error log or hmail log?
The hmail log
i also have f-prot installed to protect the server in real time and use ClamWin to detect email virus. will two AV cause any conflict?
They can kind of step on each others toes. F-prot could catch the virus before it gets scanned by ClamWin. Are you actually receiving the eicar attachment in your mailbox?
btw, when i click on use ClamWin then auto detect, it didn't detect anything so i open ClamWin and file location and copy n paste the clam.exe and db file path onto hmail.
It is strange the hmailserver couldn't auto-detect ClamWin. Copying and pasting should probably work, but that does point to something being a little weird about your installation I think. If you run clamscan manually, can it catch the eicar virus? Have you set it up to update it's virus signature files automatically?
since i can't do virus test from the above url. it limited test per one day so i'll try again tomrrow and report back.
You can download the eicar tests from here and then simply mail the attachment to yourself to test. No need to use that service.
the hmail log did show clamwin was called but i think you're correct that f-port pickup the virus before clamwin can do anything so i'm going uninstall f-prot and reinstall it without real time protection.

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-23 19:54

Bram wrote:
since i can't do virus test from the above url. it limited test per one day so i'll try again tomrrow and report back.
Try this url http://www.aleph-tec.com/eicar/index.php
thank

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-23 20:15

i use external AV and set it to f-prot AV and it work with F-prot. so i'm going to uninstall ClamWin and just use f-prot.

thank you all for your help

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-23 22:42

@jt2377

Can you share your f-prot commandline settings? So they can be added to the document pages.
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

jt2377
Normal user
Normal user
Posts: 74
Joined: 2005-05-24 05:30

Post by jt2377 » 2005-06-24 07:32

Bram wrote:@jt2377

Can you share your f-prot commandline settings? So they can be added to the document pages.
basically the dir where f-prot is install and find fpcmd.exe

this is what mine look like C:\Program Files\FSI\F-Prot\fpcmd.exe

hmail will call fpcmd.exe and delete the files. i'm supprise that ClamWin is not that well intergrated with hmail because auto detect didn't work and manaully enter the path didn't work. finally, f-prot work but i lose the real time protection but it still able to protect the Windows2003 server just not in real time and $50 for 10 liscense is not bad.

i'm using the v3 hmail and ClamWin auto detect didn't work. is it possible a bug? can hmail developer look into it?

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-15 11:27


Post Reply