ClamAV and the Eicar test virus

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

ClamAV and the Eicar test virus

Post by spydr » 2005-06-01 06:32

I have hMailServer 4.10 and ClamAV 0.85.1
The paths are set correctly in hMail but the eicar test virus still gets through.
ClamAV finds the test virus on the hard drive when I do a manual scan.

Any Ideas?

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-01 06:50

Post your hmailserver log here. Probably you got a 'return 50' error. Which means your virus definitions are not found.
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

abgar
Normal user
Normal user
Posts: 93
Joined: 2005-03-23 09:33
Location: Warsaw, Poland

Post by abgar » 2005-06-01 11:25

I have the same problem with hmail 3.4.1 and Clamwin. No reaction to eicar test. No errors recorded in log file

spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

My SMTP and APP log for the test virus

Post by spydr » 2005-06-01 15:08

"SMTPD" 676 "2005-06-01 00:21:57.554" "192.168.1.20" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 676 "2005-06-01 00:21:57.569" "192.168.1.20" "RECEIVED: HELO trebuchet"
"SMTPD" 676 "2005-06-01 00:21:57.569" "192.168.1.20" "SENT: 250 Hello. Pleased to meet you"
"SMTPD" 676 "2005-06-01 00:21:57.585" "192.168.1.20" "RECEIVED: MAIL FROM: <user@thetethered.com>"
"SMTPD" 676 "2005-06-01 00:21:57.960" "192.168.1.20" "SENT: 250 user@thetethered.com... Sender OK"
"SMTPD" 676 "2005-06-01 00:21:57.960" "192.168.1.20" "RECEIVED: RCPT TO: <user@thetethered.com>"
"SMTPD" 676 "2005-06-01 00:21:57.976" "192.168.1.20" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 676 "2005-06-01 00:21:57.991" "192.168.1.20" "RECEIVED: DATA"
"SMTPD" 676 "2005-06-01 00:21:57.991" "192.168.1.20" "SENT: 354 ok send! end with <crlf>.<crlf>"
"SMTPD" 676 "2005-06-01 00:21:58.163" "192.168.1.20" "SENT: 250 Message queued (0.156 seconds)"
"SMTPD" 676 "2005-06-01 00:21:58.179" "192.168.1.20" "RECEIVED: QUIT"
"SMTPD" 676 "2005-06-01 00:21:58.179" "192.168.1.20" "SENT: 221 goodbye"
"APPLICATION" 3028 "2005-06-01 00:21:58.194" "SMTPDeliverer - Message 168: Delivering message from user@thetethered.com to user@thetethered.com. File: g:\hMailServer\Data\{4F486864-6216-48F6-B98E-B4357E92EE2B}.eml"
"APPLICATION" 3028 "2005-06-01 00:22:03.694" "SMTPDeliverer - Message 168: Message delivery thread completed."
Last edited by spydr on 2005-06-02 15:27, edited 1 time in total.

GlenC
Senior user
Senior user
Posts: 680
Joined: 2004-08-17 23:31
Location: Santiago, Chile

Post by GlenC » 2005-06-01 15:13

You'll need to enable Debug logging to see what the return codes are for your virus scanner.

User avatar
TheAngryPenguin
Senior user
Senior user
Posts: 341
Joined: 2004-10-11 20:51

Post by TheAngryPenguin » 2005-06-01 16:19

AFAIK, ClamAV's antivirus databases do not include a signature for eicar.

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-06-01 17:28

I'm pretty sure ClamAV includes a signature for eicar. I've tested eicar with Clamwin my self several times. The only way to continue is to turn on the debug log to see what ClamScan returns. Without the debug log, we can onyl guess.

spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

Log with debug

Post by spydr » 2005-06-02 15:39

There might be some extra stuff in th elog but I didn't want to miss anything.

FYI: ClamAV does pick up the Eicar test virus when I do a manual scan.
"DEBUG" 2568 "2005-06-02 09:23:13.379" "SocketConnection::SocketConnection()"
"SMTPD" 2568 "2005-06-02 09:23:13.395" "192.168.1.20" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 2568 "2005-06-02 09:23:13.395" "192.168.1.20" "RECEIVED: HELO trebuchet"
"SMTPD" 2568 "2005-06-02 09:23:13.410" "192.168.1.20" "SENT: 250 Hello. Pleased to meet you"
"SMTPD" 2568 "2005-06-02 09:23:13.426" "192.168.1.20" "RECEIVED: MAIL FROM: <user@thetethered.com>"
"DEBUG" 2568 "2005-06-02 09:23:13.426" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.442" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.442" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.598" "BLCheck::~ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.801" "BLCheck::~ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.801" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.817" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.879" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:14.004" "BLCheck::~ClientExistsInDNSBL()"
"SMTPD" 2568 "2005-06-02 09:23:14.020" "192.168.1.20" "SENT: 250 user@thetethered.com... Sender OK"
"SMTPD" 2568 "2005-06-02 09:23:14.020" "192.168.1.20" "RECEIVED: RCPT TO: <user@thetethered.com>"
"SMTPD" 2568 "2005-06-02 09:23:14.035" "192.168.1.20" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 2568 "2005-06-02 09:23:14.035" "192.168.1.20" "RECEIVED: DATA"
"SMTPD" 2568 "2005-06-02 09:23:14.051" "192.168.1.20" "SENT: 354 ok send! end with <crlf>.<crlf>"
"DEBUG" 2568 "2005-06-02 09:23:14.207" "PMADO:SaveObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.207" "PMADO:AddObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.223" "Adding message to database. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"DEBUG" 2568 "2005-06-02 09:23:14.223" "PMADO:~AddObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.238" "PMADO:~SaveObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.238" "Message added. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"SMTPD" 2568 "2005-06-02 09:23:14.254" "192.168.1.20" "SENT: 250 Message queued (0.156 seconds)"
"DEBUG" 2656 "2005-06-02 09:23:14.254" "PersistentMessage::ReadObject()"
"SMTPD" 2568 "2005-06-02 09:23:14.270" "192.168.1.20" "RECEIVED: QUIT"
"DEBUG" 2656 "2005-06-02 09:23:14.270" "PersistentMessage::~ReadObject()"
"SMTPD" 2568 "2005-06-02 09:23:14.270" "192.168.1.20" "SENT: 221 goodbye"
"DEBUG" 2568 "2005-06-02 09:23:14.285" "SocketConnection::~SocketConnection()"
"DEBUG" 2588 "2005-06-02 09:23:14.379" "SD:DeliverMessage"
"APPLICATION" 2588 "2005-06-02 09:23:14.410" "SMTPDeliverer - Message 304: Delivering message from user@thetethered.com to user@thetethered.com. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"DEBUG" 2588 "2005-06-02 09:23:14.410" "ClamWinVirusScanner::Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.660" "SocketConnection::SocketConnection()"
"DEBUG" 1700 "2005-06-02 09:23:18.660" "FML::Acquire: 12-0-E"
"DEBUG" 2588 "2005-06-02 09:23:18.676" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Documents and Settings\All Users\.clamwin\db' --include='{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml' --tempdir='C:\WINNT\Temp' - Returned 0"
"DEBUG" 1700 "2005-06-02 09:23:18.676" "FML::Acquire: 12-0-E OK"
"DEBUG" 2588 "2005-06-02 09:23:18.676" "ClamWinVirusScanner::~Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.692" "FML::Release: 12-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.738" "FML::Release: 12-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.738" "SocketConnection::~SocketConnection()"
"DEBUG" 2588 "2005-06-02 09:23:18.770" "ClamWinVirusScanner::Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.785" "SocketConnection::SocketConnection()"
"DEBUG" 1700 "2005-06-02 09:23:18.801" "FML::Acquire: 8-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.801" "FML::Acquire: 8-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.817" "FML::Release: 8-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.817" "FML::Release: 8-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.832" "SocketConnection::~SocketConnection()"

User avatar
Bram
Senior user
Senior user
Posts: 417
Joined: 2004-05-24 22:57
Location: The Netherlands
Contact:

Post by Bram » 2005-06-02 19:35

Strange. The return is 0 so there is indeed no virus found.

You have the latest updates of you virus-definitions?
Have you used the test page for sending viri as described in the documents-section?
hmailserver 4.3 (242 Live)
hmailserver 5.0 (605 Test)
Windows 2003
MSSQL
ASSP 1.3.2
ClamAV (SOSDG)
http://www.realdesign.nl

spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

Post by spydr » 2005-06-03 02:23

I didn't see the test page before, thanks.
When I send the eicar virus from that test page ClamAV catches its
"APPLICATION" 1764 "2005-06-02 20:20:10.192" "SMTPDeliverer - Message 377: Message attachments stripped (contained virus)."
"APPLICATION" 1764 "2005-06-02 20:20:10.239" "SMTPDeliverer - Message 377: Message delivery thread completed."
But why will ClamAV/hMailServer not catch the virus when I send it from me to me?

spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

Post by spydr » 2005-06-03 02:47

I've tested this again.

When I send the Eicar test virus from a local account to a local account there is no virus checking done, but when the Eicar test virus is sent from an external account the virus is removed. Tested from gmail and that handy dandy test page
Eicar anti-virus email test

spydr
New user
New user
Posts: 13
Joined: 2005-05-29 18:55
Location: Virginia

Post by spydr » 2005-06-03 03:13

Good news is that I have both ClamAV and Symantecs command line scanner (vpscan) running, Bad news is that they both skip local to local emails.
"SMTPD" 3028 "2005-06-02 21:11:13.502" "140.186.45.15" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 3028 "2005-06-02 21:11:13.595" "140.186.45.15" "RECEIVED: EHLO callisto.your-site.com"
"SMTPD" 3028 "2005-06-02 21:11:13.595" "140.186.45.15" "SENT: 250-hmailserver[nl]250 AUTH LOGIN"
"SMTPD" 3028 "2005-06-02 21:11:13.689" "140.186.45.15" "RECEIVED: MAIL FROM:<eicar@aleph-tec.com>"
"SMTPD" 3028 "2005-06-02 21:11:13.783" "140.186.45.15" "SENT: 250 eicar@aleph-tec.com... Sender OK"
"SMTPD" 3028 "2005-06-02 21:11:13.861" "140.186.45.15" "RECEIVED: RCPT TO:<user@thetethered.com>"
"SMTPD" 3028 "2005-06-02 21:11:13.877" "140.186.45.15" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 3028 "2005-06-02 21:11:13.939" "140.186.45.15" "RECEIVED: DATA"
"SMTPD" 3028 "2005-06-02 21:11:13.955" "140.186.45.15" "SENT: 354 ok send! end with <crlf>.<crlf>"
"SMTPD" 3028 "2005-06-02 21:11:14.048" "140.186.45.15" "SENT: 250 Message queued (0.078 seconds)"
"SMTPD" 3028 "2005-06-02 21:11:14.127" "140.186.45.15" "RECEIVED: QUIT"
"SMTPD" 3028 "2005-06-02 21:11:14.142" "140.186.45.15" "SENT: 221 goodbye"
"APPLICATION" 3028 "2005-06-02 21:11:14.955" "SMTPDeliverer - Message 390: Delivering message from eicar@aleph-tec.com to user@thetethered.com. File: g:\hMailServer\Data\{B39E42C9-F842-4909-9856-2FE8BA4E9DCD}.eml"
"APPLICATION" 3028 "2005-06-02 21:11:17.158" "SMTPDeliverer - Message 390: Message attachments stripped (contained virus)."
"APPLICATION" 3028 "2005-06-02 21:11:17.220" "SMTPDeliverer - Message 390: Message delivery thread completed."

User avatar
martin
Developer
Developer
Posts: 6837
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2005-06-03 07:50

I think you're missing something. hMailServer doesn't care about who's the sender or recipients when sending an email. Virus scanning is always applied to email messages, regardless who their from and to...

cgountanis
Normal user
Normal user
Posts: 105
Joined: 2005-07-01 00:54
Location: USA

Post by cgountanis » 2005-07-15 11:48


Post Reply