Recently we have bolstered our AV/antispam securityy with the use of additional 3rd party signatures (for ClamAV) from Sanesecurities. On their site they offer 3x TEST methods to check your AV solution is working with their signatures. (Apologies but the 'advertising' is unavoidable, I need to show you this page for the purpose of this issue: http://sanesecurity.com/support/signature-testing/). You can see from the tests that 2x are based on BODY text (#1 and #3) and #2 is based on SUBJECT text.
Now, testing the 2x BODY text tests:
I send an email,with the relevant body text and my AV captures it with the server message relating to the removal of a Virus attachment whilst keeping the original body text (note that there isnt actually an attachment to be removed but I understand that this string represents one placed io the body stream):
SEND: RECEIVED HOWEVER.......
when I do the same kind of test for 'test 2' which is about SUBJECT content (designed to test that the server fully sends the RAW message details to be scanned including headers), the message does get detected as a (test) virus but this is only clear by looking in APPLICATION log file but unlike the other test this email is received and is NOT marked in anyway as possessing a virus (despite being detected as such):
SENT: LOG showing detection of correct (test) virus:
RECEIVED: Why is the BODY test marked as virus but the 'SUBJECT' test is NOT marked as virus despite being detected as such?"APPLICATION" 4608 "2015-11-17 23:05:41.067" "SMTPDeliverer - Message 272392: Message attachments stripped (contained virus Sanesecurity.TestSig_Type4_Hdr.2.UNOFFICIAL)."
As a further test, I sent the same 'subject' test email in but this time added an innocuous attachment (a .TXT file with nothing to mention in it). When this was received, it was still correctly identified (in Logs) but this time it DID add the 'virus removed' message (as well as astripping the .TXT file):
BODY signatures get stripped and replaced with the VIRUS_ATTACHMENT_REMOVED server message. But header signatures do not get marked with a server message despite still being detected (either VIRUS FOUND or VIRUS_NOTIFICATION would also be more appropriate).
Im asking if anyone could make sense of this (probably by being able to read the source) and to offer an opinion to whether the lack of consistency is justified.