Eicar Test Virus and ClamWin

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Eicar Test Virus and ClamWin

Post by phil54 » 2007-12-03 18:36

I've installed clamwin and it's updated, doing a bit of testing with the eicar test virus.

It's set in Hmail to delete the file, but it's still getting through to me and my personal anti virus is picking it up.

I pressed the auto detect and it has picked up the right location, also in status it's saying no message have contained any viruses.

Any ideas what i've done wrong?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-12-03 19:23

Enable all logging, reproduce the problem and then post the log here.

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 13:33

I'm just about to re send the test virus, when you saying logging do you mean. The logging bit in status or the logging section?

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-12-04 13:45

In the logging section, enable everything an then post the log here.

Michael
Missing Hmailserver ... Now running Debian servers

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 14:14

Ah sound, just working my way through it now. Post it up in a couple of minutes

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 14:31

I've removed all the logs about dns blacklists etc and replaced the domain with test.com

"APPLICATION" 3960 "2007-12-04 11:35:03.265" "SMTPDeliverer - Message 240: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"
"DEBUG" 3960 "2007-12-04 11:35:03.265" "ClamWinVirusScanner::Scan()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "PMADO:~SaveObject()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Message added. File: C:\Program

Files\hMailServer\Data\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Application::SubmitPendingEmail()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Application::~SubmitPendingEmail()"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.265" "38.96.163.23" "SENT: 250 Queued (0.078 seconds)"
"DEBUG" 3964 "2007-12-04 11:35:03.265" "SD::DeliverMessage"

"APPLICATION" 3964 "2007-12-04 11:35:03.265" "SMTPDeliverer - Message 241: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 3964 "2007-12-04 11:35:03.265" "ClamWinVirusScanner::Scan()"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "PMADO:SaveObject()"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Adding message to database. File: C:\Program

Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"SMTPD" 4028 1677 "2007-12-04 11:35:03.343" "38.96.163.23" "RECEIVED: QUIT"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "PMADO:~SaveObject()"
"SMTPD" 4028 1677 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 221 goodbye"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Message added. File: C:\Program

Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"TCPIP" 4028 "2007-12-04 11:35:03.343" "Disconnecting socket 1496 for session 1677"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Application::SubmitPendingEmail()"
"DEBUG" 4028 "2007-12-04 11:35:03.343" "Socket::~Socket(ID: 1677)"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Application::~SubmitPendingEmail()"
"SMTPD" 4024 1679 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 250 Queued (0.156 seconds)"
"DEBUG" 3972 "2007-12-04 11:35:03.343" "SD::DeliverMessage"

"APPLICATION" 3972 "2007-12-04 11:35:03.343" "SMTPDeliverer - Message 242: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.343" "38.96.163.23" "RECEIVED: QUIT"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 221 goodbye"
"DEBUG" 3972 "2007-12-04 11:35:03.343" "ClamWinVirusScanner::Scan()"
"TCPIP" 4028 "2007-12-04 11:35:03.343" "Disconnecting socket 1588 for session 1678"
"DEBUG" 4028 "2007-12-04 11:35:03.343" "Socket::~Socket(ID: 1678)"
"SMTPD" 4028 1679 "2007-12-04 11:35:03.421" "38.96.163.23" "RECEIVED: QUIT"
"SMTPD" 4028 1679 "2007-12-04 11:35:03.421" "38.96.163.23" "SENT: 221 goodbye"
"TCPIP" 4028 "2007-12-04 11:35:03.421" "Disconnecting socket 1616 for session 1679"
"DEBUG" 4028 "2007-12-04 11:35:03.421" "Socket::~Socket(ID: 1679)"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.578" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3964 "2007-12-04 11:35:10.578" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3964 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::~ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "SD::_DeliverToLocalAccounts"
"DEBUG" 3964 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::~ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PMADO:CopyMailContentsFrom()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "Adding message to database. File: C:\Program

Files\hMailServer\Data\test.co.uk\test\F4\{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "SD::~_DeliverToLocalAccounts"
"APPLICATION" 3960 "2007-12-04 11:35:10.796" "SMTPDeliverer - Message 240: Message delivery thread completed."
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteObject()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteFile()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteObject() - E5"
"DEBUG" 3960 "2007-12-04 11:35:11.156" "SD::~DeliverMessage"
"DEBUG" 3972 "2007-12-04 11:35:13.328" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{E8DB1A29-E907-419A-B502-2B33DC8FACA9}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3972 "2007-12-04 11:35:13.328" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3972 "2007-12-04 11:35:13.890" "ClamWinVirusScanner::Scan()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{A159F2B6-29F4-448C-B65D-445637CC3B11}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::~ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::_DeliverToLocalAccounts"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::~ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PMADO:CopyMailContentsFrom()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "Adding message to database. File: C:\Program

Files\hMailServer\Data\test.co.uk\test\11\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::~_DeliverToLocalAccounts"
"APPLICATION" 3964 "2007-12-04 11:35:14.156" "SMTPDeliverer - Message 241: Message delivery thread completed."
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteObject()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteFile()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteObject() - E5"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::~DeliverMessage"
"DEBUG" 3972 "2007-12-04 11:35:17.156" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{4E5A0CB7-E9D8-4837-B63C-18487774EE00}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 16:59

I thought i'd try and run the exe from the command line, and i get this:

C:\Program Files\ClamWin\bin>clamscan.exe c:\dell
LibClamAV Error: cli_loaddb(): No supported database files found in .
ERROR: Not supported data format

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 0
Skipped non-executable files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.000 sec (0 m 0 s)

That doesnt sound too good at all

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 18:24

Bit of an update, if i copy the cvd files into the bin directory, clamscan will run in the command line.

The test virus is still getting through, any ideas?

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-04 19:05

interesting on the eicar test page, it picks up four out of six test, it lets

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

into the inbox.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-12-04 19:24

A bit confusing here... You say that the test virus is getting through, then you say some of them aren't. So I assume it works fine for you with some of the messages, am I right?

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-12-05 14:51

phil54 wrote:interesting on the eicar test page, it picks up four out of six test, it lets

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

into the inbox.
From the log hMs is running Clamwin and finding no virus (returned 0) so I don't think its a hMs problem, I think its a Clamwin problem (its not picking up the test virus.)

You might want to bring this up in the Clamwin forum and ask them why.

Michael
Missing Hmailserver ... Now running Debian servers

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-05 15:24

Hi Martin, i did some more testing from the eicar page. The first four tests are getting stopped by ClamWin, the last two:

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

Are getting through.

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2007-12-05 18:11

That is a clamwin issue not a hMail issue.

User avatar
danny6167
Senior user
Senior user
Posts: 472
Joined: 2007-02-07 15:24
Location: Western Australia
Contact:

Post by danny6167 » 2007-12-05 18:51

You need to set in your clamwin config files to scan inside .zip files ither wise it will not pick thease ones up.

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2007-12-05 19:00

Danny, how can i do that? I've had a look in clamwin and it's set to scan archives.

westdam
Senior user
Senior user
Posts: 728
Joined: 2006-08-01 21:24
Location: Padova, Italy
Contact:

Re: Eicar Test Virus and ClamWin

Post by westdam » 2009-10-16 13:21

clamwin is crappy..believe me.

same server, just send the mail couple of times, clamwin sometimes recognize the virus, sometimes not.

cant understand why.
same conf. same program, no changes.

User avatar
tBB
Senior user
Senior user
Posts: 268
Joined: 2009-04-17 18:10
Location: The land of Beer and Sauerkraut!
Contact:

Re: Eicar Test Virus and ClamWin

Post by tBB » 2009-10-16 18:31

You've noticed that the thread you're replying to is almost 2 years old? :)

Best regards,

Nico

Post Reply