Page 1 of 1

ClamAV and the Eicar test virus

Posted: 2005-06-01 06:32
by spydr
I have hMailServer 4.10 and ClamAV 0.85.1
The paths are set correctly in hMail but the eicar test virus still gets through.
ClamAV finds the test virus on the hard drive when I do a manual scan.

Any Ideas?

Posted: 2005-06-01 06:50
by Bram
Post your hmailserver log here. Probably you got a 'return 50' error. Which means your virus definitions are not found.

Posted: 2005-06-01 11:25
by abgar
I have the same problem with hmail 3.4.1 and Clamwin. No reaction to eicar test. No errors recorded in log file

My SMTP and APP log for the test virus

Posted: 2005-06-01 15:08
by spydr
"SMTPD" 676 "2005-06-01 00:21:57.554" "192.168.1.20" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 676 "2005-06-01 00:21:57.569" "192.168.1.20" "RECEIVED: HELO trebuchet"
"SMTPD" 676 "2005-06-01 00:21:57.569" "192.168.1.20" "SENT: 250 Hello. Pleased to meet you"
"SMTPD" 676 "2005-06-01 00:21:57.585" "192.168.1.20" "RECEIVED: MAIL FROM: <user@thetethered.com>"
"SMTPD" 676 "2005-06-01 00:21:57.960" "192.168.1.20" "SENT: 250 user@thetethered.com... Sender OK"
"SMTPD" 676 "2005-06-01 00:21:57.960" "192.168.1.20" "RECEIVED: RCPT TO: <user@thetethered.com>"
"SMTPD" 676 "2005-06-01 00:21:57.976" "192.168.1.20" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 676 "2005-06-01 00:21:57.991" "192.168.1.20" "RECEIVED: DATA"
"SMTPD" 676 "2005-06-01 00:21:57.991" "192.168.1.20" "SENT: 354 ok send! end with <crlf>.<crlf>"
"SMTPD" 676 "2005-06-01 00:21:58.163" "192.168.1.20" "SENT: 250 Message queued (0.156 seconds)"
"SMTPD" 676 "2005-06-01 00:21:58.179" "192.168.1.20" "RECEIVED: QUIT"
"SMTPD" 676 "2005-06-01 00:21:58.179" "192.168.1.20" "SENT: 221 goodbye"
"APPLICATION" 3028 "2005-06-01 00:21:58.194" "SMTPDeliverer - Message 168: Delivering message from user@thetethered.com to user@thetethered.com. File: g:\hMailServer\Data\{4F486864-6216-48F6-B98E-B4357E92EE2B}.eml"
"APPLICATION" 3028 "2005-06-01 00:22:03.694" "SMTPDeliverer - Message 168: Message delivery thread completed."

Posted: 2005-06-01 15:13
by GlenC
You'll need to enable Debug logging to see what the return codes are for your virus scanner.

Posted: 2005-06-01 16:19
by TheAngryPenguin
AFAIK, ClamAV's antivirus databases do not include a signature for eicar.

Posted: 2005-06-01 17:28
by martin
I'm pretty sure ClamAV includes a signature for eicar. I've tested eicar with Clamwin my self several times. The only way to continue is to turn on the debug log to see what ClamScan returns. Without the debug log, we can onyl guess.

Log with debug

Posted: 2005-06-02 15:39
by spydr
There might be some extra stuff in th elog but I didn't want to miss anything.

FYI: ClamAV does pick up the Eicar test virus when I do a manual scan.
"DEBUG" 2568 "2005-06-02 09:23:13.379" "SocketConnection::SocketConnection()"
"SMTPD" 2568 "2005-06-02 09:23:13.395" "192.168.1.20" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 2568 "2005-06-02 09:23:13.395" "192.168.1.20" "RECEIVED: HELO trebuchet"
"SMTPD" 2568 "2005-06-02 09:23:13.410" "192.168.1.20" "SENT: 250 Hello. Pleased to meet you"
"SMTPD" 2568 "2005-06-02 09:23:13.426" "192.168.1.20" "RECEIVED: MAIL FROM: <user@thetethered.com>"
"DEBUG" 2568 "2005-06-02 09:23:13.426" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.442" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.442" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.598" "BLCheck::~ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.613" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.801" "BLCheck::~ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.801" "BLCheck::ClientExistsInDNSBL()"
"DEBUG" 2568 "2005-06-02 09:23:13.817" "ADORecordset::_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:13.879" "ADORecordset::~_GetRevertedIP()"
"DEBUG" 2568 "2005-06-02 09:23:14.004" "BLCheck::~ClientExistsInDNSBL()"
"SMTPD" 2568 "2005-06-02 09:23:14.020" "192.168.1.20" "SENT: 250 user@thetethered.com... Sender OK"
"SMTPD" 2568 "2005-06-02 09:23:14.020" "192.168.1.20" "RECEIVED: RCPT TO: <user@thetethered.com>"
"SMTPD" 2568 "2005-06-02 09:23:14.035" "192.168.1.20" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 2568 "2005-06-02 09:23:14.035" "192.168.1.20" "RECEIVED: DATA"
"SMTPD" 2568 "2005-06-02 09:23:14.051" "192.168.1.20" "SENT: 354 ok send! end with <crlf>.<crlf>"
"DEBUG" 2568 "2005-06-02 09:23:14.207" "PMADO:SaveObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.207" "PMADO:AddObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.223" "Adding message to database. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"DEBUG" 2568 "2005-06-02 09:23:14.223" "PMADO:~AddObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.238" "PMADO:~SaveObject()"
"DEBUG" 2568 "2005-06-02 09:23:14.238" "Message added. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"SMTPD" 2568 "2005-06-02 09:23:14.254" "192.168.1.20" "SENT: 250 Message queued (0.156 seconds)"
"DEBUG" 2656 "2005-06-02 09:23:14.254" "PersistentMessage::ReadObject()"
"SMTPD" 2568 "2005-06-02 09:23:14.270" "192.168.1.20" "RECEIVED: QUIT"
"DEBUG" 2656 "2005-06-02 09:23:14.270" "PersistentMessage::~ReadObject()"
"SMTPD" 2568 "2005-06-02 09:23:14.270" "192.168.1.20" "SENT: 221 goodbye"
"DEBUG" 2568 "2005-06-02 09:23:14.285" "SocketConnection::~SocketConnection()"
"DEBUG" 2588 "2005-06-02 09:23:14.379" "SD:DeliverMessage"
"APPLICATION" 2588 "2005-06-02 09:23:14.410" "SMTPDeliverer - Message 304: Delivering message from user@thetethered.com to user@thetethered.com. File: g:\hMailServer\Data\{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml"
"DEBUG" 2588 "2005-06-02 09:23:14.410" "ClamWinVirusScanner::Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.660" "SocketConnection::SocketConnection()"
"DEBUG" 1700 "2005-06-02 09:23:18.660" "FML::Acquire: 12-0-E"
"DEBUG" 2588 "2005-06-02 09:23:18.676" "ClamWinVirusScanner::Scan() - C:\Program Files\ClamWin\bin\clamscan.exe --database='C:\Documents and Settings\All Users\.clamwin\db' --include='{DC623C6C-1ED0-4330-AB73-C1C90678BA44}.eml' --tempdir='C:\WINNT\Temp' - Returned 0"
"DEBUG" 1700 "2005-06-02 09:23:18.676" "FML::Acquire: 12-0-E OK"
"DEBUG" 2588 "2005-06-02 09:23:18.676" "ClamWinVirusScanner::~Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.692" "FML::Release: 12-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.738" "FML::Release: 12-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.738" "SocketConnection::~SocketConnection()"
"DEBUG" 2588 "2005-06-02 09:23:18.770" "ClamWinVirusScanner::Scan()"
"DEBUG" 1700 "2005-06-02 09:23:18.785" "SocketConnection::SocketConnection()"
"DEBUG" 1700 "2005-06-02 09:23:18.801" "FML::Acquire: 8-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.801" "FML::Acquire: 8-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.817" "FML::Release: 8-0-E"
"DEBUG" 1700 "2005-06-02 09:23:18.817" "FML::Release: 8-0-E OK"
"DEBUG" 1700 "2005-06-02 09:23:18.832" "SocketConnection::~SocketConnection()"

Posted: 2005-06-02 19:35
by Bram
Strange. The return is 0 so there is indeed no virus found.

You have the latest updates of you virus-definitions?
Have you used the test page for sending viri as described in the documents-section?

Posted: 2005-06-03 02:23
by spydr
I didn't see the test page before, thanks.
When I send the eicar virus from that test page ClamAV catches its
"APPLICATION" 1764 "2005-06-02 20:20:10.192" "SMTPDeliverer - Message 377: Message attachments stripped (contained virus)."
"APPLICATION" 1764 "2005-06-02 20:20:10.239" "SMTPDeliverer - Message 377: Message delivery thread completed."
But why will ClamAV/hMailServer not catch the virus when I send it from me to me?

Posted: 2005-06-03 02:47
by spydr
I've tested this again.

When I send the Eicar test virus from a local account to a local account there is no virus checking done, but when the Eicar test virus is sent from an external account the virus is removed. Tested from gmail and that handy dandy test page
Eicar anti-virus email test

Posted: 2005-06-03 03:13
by spydr
Good news is that I have both ClamAV and Symantecs command line scanner (vpscan) running, Bad news is that they both skip local to local emails.
"SMTPD" 3028 "2005-06-02 21:11:13.502" "140.186.45.15" "SENT: 220 smtp.thetethered.com ESMTP"
"SMTPD" 3028 "2005-06-02 21:11:13.595" "140.186.45.15" "RECEIVED: EHLO callisto.your-site.com"
"SMTPD" 3028 "2005-06-02 21:11:13.595" "140.186.45.15" "SENT: 250-hmailserver[nl]250 AUTH LOGIN"
"SMTPD" 3028 "2005-06-02 21:11:13.689" "140.186.45.15" "RECEIVED: MAIL FROM:<eicar@aleph-tec.com>"
"SMTPD" 3028 "2005-06-02 21:11:13.783" "140.186.45.15" "SENT: 250 eicar@aleph-tec.com... Sender OK"
"SMTPD" 3028 "2005-06-02 21:11:13.861" "140.186.45.15" "RECEIVED: RCPT TO:<user@thetethered.com>"
"SMTPD" 3028 "2005-06-02 21:11:13.877" "140.186.45.15" "SENT: 250 OK its for user@thetethered.com"
"SMTPD" 3028 "2005-06-02 21:11:13.939" "140.186.45.15" "RECEIVED: DATA"
"SMTPD" 3028 "2005-06-02 21:11:13.955" "140.186.45.15" "SENT: 354 ok send! end with <crlf>.<crlf>"
"SMTPD" 3028 "2005-06-02 21:11:14.048" "140.186.45.15" "SENT: 250 Message queued (0.078 seconds)"
"SMTPD" 3028 "2005-06-02 21:11:14.127" "140.186.45.15" "RECEIVED: QUIT"
"SMTPD" 3028 "2005-06-02 21:11:14.142" "140.186.45.15" "SENT: 221 goodbye"
"APPLICATION" 3028 "2005-06-02 21:11:14.955" "SMTPDeliverer - Message 390: Delivering message from eicar@aleph-tec.com to user@thetethered.com. File: g:\hMailServer\Data\{B39E42C9-F842-4909-9856-2FE8BA4E9DCD}.eml"
"APPLICATION" 3028 "2005-06-02 21:11:17.158" "SMTPDeliverer - Message 390: Message attachments stripped (contained virus)."
"APPLICATION" 3028 "2005-06-02 21:11:17.220" "SMTPDeliverer - Message 390: Message delivery thread completed."

Posted: 2005-06-03 07:50
by martin
I think you're missing something. hMailServer doesn't care about who's the sender or recipients when sending an email. Virus scanning is always applied to email messages, regardless who their from and to...

Posted: 2005-07-15 11:48
by cgountanis