[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [Clamav-users] false positive - logwatch report marked as virus
From: b7753361 <b7753361 () yahoo ! com>
Date: 2007-11-25 17:52:14
Message-ID: 13937664.post () talk ! nabble ! com
[Download RAW message or body]
Update. The logwatch report contains a whole section of MailScanner
information. Within the MailScanner section, there is a "Phishing report".
It seems that the items produced within the Phishing report are matching
signatures within RB-2041. As a workaround, I can either delete the
Phishing report or configure MailScanner to not produce this level of
logging. My preference is to keep the Phishing report and configure ClamAV
to allow this item to be "whitelisted" or something similar.
If anybody has some suggestions for me, I would be most grateful.
b7753361 wrote:
>
> Seeking guidance. My MTA is running Mailscanner 4.65.3 (with sendmail)
> and ClamAV v0.91.2. The ClamAV was updated yesterday because I was a
> dot-release behind. Before upgrading clamav, clamd, and clamav-db the
> solution had been running rock-solid for over a year, but since upgrading
> during the holiday, I have discovered that my logwatch report gets marked
> as a virus (all other MTA activity seems to be working as expected).
>
> When the output from /etc/cron.daily/0logwatch job is emailed to me, I get
> the following message (the only item I've changed is the name "company"
> was put in place of the real domain);
>
> The following e-mails were found to have: Virus Detected
>
> Sender: root@mail2.company.com IP Address: 127.0.0.1
> Recipient: root@mail2.company.com
> Subject: Logwatch for mail2.company.com (Linux)
> MessageID: lANHFDnR007319
> Quarantine:
> Report: ClamAVModule: message was infected: Email.Phishing.RB-2041
>
> Full headers are:
>
> Return-Path: < g>
> Received: from mail2.company.com (localhost.localdomain [127.0.0.1])
> by mail2.company.com (8.13.1/8.13.1) with ESMTP id lANHFDnR007319
> for <root@mail2.company.com>; Fri, 23 Nov 2007 10:15:13 -0700
> Full-Name: root
> Received: (from root@localhost)
> by mail2.company.com (8.13.1/8.13.1/Submit) id lANHE6jd006772;
> Fri, 23 Nov 2007 10:14:06 -0700
> Date: Fri, 23 Nov 2007 10:14:06 -0700
> Message-Id: <200711231714.lANHE6jd006772@mail2.company.com>
> To: root@mail2.company.com
> From: logwatch@mail2.company.com
> Subject: Logwatch for mail2.company.com (Linux)
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset="iso-8859-1"
>
>
> I've been banging my head on this one and I cannot seem to put a finger on
> what changed to cause the logwatch report to get marked as a virus.
> Output from other scheduled jobs are producing output which is
> successfully being delivered to root and not being marked as a virus. For
> some reason, something in the logwatch output seems to be matching a
> signiature within RB-2041. This is the point at which I get stuck :-(
>
> Any help in pointing me in the direction where I can do a better job to
> troubleshoot this is most welcome.
>
> Right now my brain is stuck in a re-boot cycle.
>
> -B
>
>
--
View this message in context: \
http://www.nabble.com/false-positive---logwatch-report-marked-as-virus-RB-2041-tf4863262.html#a13937664
Sent from the clamav-users mailing list archive at Nabble.com.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic