Page 1 of 1

Eicar Test Virus and ClamWin

Posted: 2007-12-03 18:36
by phil54
I've installed clamwin and it's updated, doing a bit of testing with the eicar test virus.

It's set in Hmail to delete the file, but it's still getting through to me and my personal anti virus is picking it up.

I pressed the auto detect and it has picked up the right location, also in status it's saying no message have contained any viruses.

Any ideas what i've done wrong?

Posted: 2007-12-03 19:23
by martin
Enable all logging, reproduce the problem and then post the log here.

Posted: 2007-12-04 13:33
by phil54
I'm just about to re send the test virus, when you saying logging do you mean. The logging bit in status or the logging section?

Posted: 2007-12-04 13:45
by Slug
In the logging section, enable everything an then post the log here.

Michael

Posted: 2007-12-04 14:14
by phil54
Ah sound, just working my way through it now. Post it up in a couple of minutes

Posted: 2007-12-04 14:31
by phil54
I've removed all the logs about dns blacklists etc and replaced the domain with test.com

"APPLICATION" 3960 "2007-12-04 11:35:03.265" "SMTPDeliverer - Message 240: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"
"DEBUG" 3960 "2007-12-04 11:35:03.265" "ClamWinVirusScanner::Scan()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "PMADO:~SaveObject()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Message added. File: C:\Program

Files\hMailServer\Data\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Application::SubmitPendingEmail()"
"DEBUG" 4028 "2007-12-04 11:35:03.265" "Application::~SubmitPendingEmail()"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.265" "38.96.163.23" "SENT: 250 Queued (0.078 seconds)"
"DEBUG" 3964 "2007-12-04 11:35:03.265" "SD::DeliverMessage"

"APPLICATION" 3964 "2007-12-04 11:35:03.265" "SMTPDeliverer - Message 241: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 3964 "2007-12-04 11:35:03.265" "ClamWinVirusScanner::Scan()"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "PMADO:SaveObject()"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Adding message to database. File: C:\Program

Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"SMTPD" 4028 1677 "2007-12-04 11:35:03.343" "38.96.163.23" "RECEIVED: QUIT"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "PMADO:~SaveObject()"
"SMTPD" 4028 1677 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 221 goodbye"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Message added. File: C:\Program

Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"TCPIP" 4028 "2007-12-04 11:35:03.343" "Disconnecting socket 1496 for session 1677"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Application::SubmitPendingEmail()"
"DEBUG" 4028 "2007-12-04 11:35:03.343" "Socket::~Socket(ID: 1677)"
"DEBUG" 4024 "2007-12-04 11:35:03.343" "Application::~SubmitPendingEmail()"
"SMTPD" 4024 1679 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 250 Queued (0.156 seconds)"
"DEBUG" 3972 "2007-12-04 11:35:03.343" "SD::DeliverMessage"

"APPLICATION" 3972 "2007-12-04 11:35:03.343" "SMTPDeliverer - Message 242: Delivering message from

eicar@aleph-tec.com to test@test.co.uk. File: C:\Program Files\hMailServer\Data\{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.343" "38.96.163.23" "RECEIVED: QUIT"
"SMTPD" 4028 1678 "2007-12-04 11:35:03.343" "38.96.163.23" "SENT: 221 goodbye"
"DEBUG" 3972 "2007-12-04 11:35:03.343" "ClamWinVirusScanner::Scan()"
"TCPIP" 4028 "2007-12-04 11:35:03.343" "Disconnecting socket 1588 for session 1678"
"DEBUG" 4028 "2007-12-04 11:35:03.343" "Socket::~Socket(ID: 1678)"
"SMTPD" 4028 1679 "2007-12-04 11:35:03.421" "38.96.163.23" "RECEIVED: QUIT"
"SMTPD" 4028 1679 "2007-12-04 11:35:03.421" "38.96.163.23" "SENT: 221 goodbye"
"TCPIP" 4028 "2007-12-04 11:35:03.421" "Disconnecting socket 1616 for session 1679"
"DEBUG" 4028 "2007-12-04 11:35:03.421" "Socket::~Socket(ID: 1679)"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{255AF1D2-82EC-45B5-9139-F7B125B670CC}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3972 "2007-12-04 11:35:08.640" "ClamWinVirusScanner::Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.578" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3964 "2007-12-04 11:35:10.578" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3964 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::~ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "SD::_DeliverToLocalAccounts"
"DEBUG" 3964 "2007-12-04 11:35:10.796" "ClamWinVirusScanner::Scan()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "RuleApplier::~ApplyRules"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PMADO:CopyMailContentsFrom()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "Adding message to database. File: C:\Program

Files\hMailServer\Data\test.co.uk\test\F4\{F4C3BD9A-03A5-4816-8FB7-F554F0DD7AA8}.eml"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "SD::~_DeliverToLocalAccounts"
"APPLICATION" 3960 "2007-12-04 11:35:10.796" "SMTPDeliverer - Message 240: Message delivery thread completed."
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteObject()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteFile()"
"DEBUG" 3960 "2007-12-04 11:35:10.796" "PersistentMessage::DeleteObject() - E5"
"DEBUG" 3960 "2007-12-04 11:35:11.156" "SD::~DeliverMessage"
"DEBUG" 3972 "2007-12-04 11:35:13.328" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{E8DB1A29-E907-419A-B502-2B33DC8FACA9}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3972 "2007-12-04 11:35:13.328" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3972 "2007-12-04 11:35:13.890" "ClamWinVirusScanner::Scan()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{A159F2B6-29F4-448C-B65D-445637CC3B11}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "ClamWinVirusScanner::~Scan()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::~ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::_DeliverToLocalAccounts"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "RuleApplier::~ApplyRules"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PMADO:CopyMailContentsFrom()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PMADO:~CopyMailContentsFrom()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "Adding message to database. File: C:\Program

Files\hMailServer\Data\test.co.uk\test\11\{11B533A6-CC5E-4A9C-953C-A0B22F8455C6}.eml"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::~_DeliverToLocalAccounts"
"APPLICATION" 3964 "2007-12-04 11:35:14.156" "SMTPDeliverer - Message 241: Message delivery thread completed."
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteObject()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteFile()"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "PersistentMessage::DeleteObject() - E5"
"DEBUG" 3964 "2007-12-04 11:35:14.156" "SD::~DeliverMessage"
"DEBUG" 3972 "2007-12-04 11:35:17.156" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe

--database="C:\Documents and Settings\All Users\.clamwin\db" "{4E5A0CB7-E9D8-4837-B63C-18487774EE00}.tmp"

--tempdir="C:\WINDOWS\Temp" - Returned 0"

Posted: 2007-12-04 16:59
by phil54
I thought i'd try and run the exe from the command line, and i get this:

C:\Program Files\ClamWin\bin>clamscan.exe c:\dell
LibClamAV Error: cli_loaddb(): No supported database files found in .
ERROR: Not supported data format

----------- SCAN SUMMARY -----------
Known viruses: 0
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 0
Skipped non-executable files: 0
Infected files: 0
Data scanned: 0.00 MB
Time: 0.000 sec (0 m 0 s)

That doesnt sound too good at all

Posted: 2007-12-04 18:24
by phil54
Bit of an update, if i copy the cvd files into the bin directory, clamscan will run in the command line.

The test virus is still getting through, any ideas?

Posted: 2007-12-04 19:05
by phil54
interesting on the eicar test page, it picks up four out of six test, it lets

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

into the inbox.

Posted: 2007-12-04 19:24
by martin
A bit confusing here... You say that the test virus is getting through, then you say some of them aren't. So I assume it works fine for you with some of the messages, am I right?

Posted: 2007-12-05 14:51
by Slug
phil54 wrote:interesting on the eicar test page, it picks up four out of six test, it lets

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

into the inbox.
From the log hMs is running Clamwin and finding no virus (returned 0) so I don't think its a hMs problem, I think its a Clamwin problem (its not picking up the test virus.)

You might want to bring this up in the Clamwin forum and ask them why.

Michael

Posted: 2007-12-05 15:24
by phil54
Hi Martin, i did some more testing from the eicar page. The first four tests are getting stopped by ClamWin, the last two:

eicarpasswd.zip (new! - zip compressed eicar.com with password)

eicarpasswdocr.zip (new! - zip compressed eicar.com with password in image file)

Are getting through.

Posted: 2007-12-05 18:11
by ^DooM^
That is a clamwin issue not a hMail issue.

Posted: 2007-12-05 18:51
by danny6167
You need to set in your clamwin config files to scan inside .zip files ither wise it will not pick thease ones up.

Posted: 2007-12-05 19:00
by phil54
Danny, how can i do that? I've had a look in clamwin and it's set to scan archives.

Re: Eicar Test Virus and ClamWin

Posted: 2009-10-16 13:21
by westdam
clamwin is crappy..believe me.

same server, just send the mail couple of times, clamwin sometimes recognize the virus, sometimes not.

cant understand why.
same conf. same program, no changes.

Re: Eicar Test Virus and ClamWin

Posted: 2009-10-16 18:31
by tBB
You've noticed that the thread you're replying to is almost 2 years old? :)

Best regards,

Nico