Seeking guidance. My MTA is running Mailscanner 4.65.3 (with sendmail) and
ClamAV v0.91.2. The ClamAV was updated yesterday because I was a
dot-release behind. Before upgrading clamav, clamd, and clamav-db the
solution had been running rock-solid for over a year, but since upgrading
during the holiday, I have discovered that my logwatch report gets marked as
a virus (all other MTA activity seems to be working as expected).
When the output from /etc/cron.daily/0logwatch job is emailed to me, I get
the following message (the only item I've changed is the name "company" was
put in place of the real domain);
The following e-mails were found to have: Virus Detected
Sender: [EMAIL PROTECTED] IP Address: 127.0.0.1
Recipient: [EMAIL PROTECTED]
Subject: Logwatch for mail2.company.com (Linux)
MessageID: lANHFDnR007319
Quarantine:
Report: ClamAVModule: message was infected: Email.Phishing.RB-2041
Full headers are:
Return-Path: <g>
Received: from mail2.company.com (localhost.localdomain [127.0.0.1])
by mail2.company.com (8.13.1/8.13.1) with ESMTP id lANHFDnR007319
for <[EMAIL PROTECTED]>; Fri, 23 Nov 2007 10:15:13 -0700
Full-Name: root
Received: (from [EMAIL PROTECTED])
by mail2.company.com (8.13.1/8.13.1/Submit) id lANHE6jd006772;
Fri, 23 Nov 2007 10:14:06 -0700
Date: Fri, 23 Nov 2007 10:14:06 -0700
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
From: [EMAIL PROTECTED]
Subject: Logwatch for mail2.company.com (Linux)
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="iso-8859-1"
I've been banging my head on this one and I cannot seem to put a finger on
what changed to cause the logwatch report to get marked as a virus. Output
from other scheduled jobs are producing output which is successfully being
delivered to root and not being marked as a virus. For some reason,
something in the logwatch output seems to be matching a signiature within
RB-2041. This is the point at which I get stuck :-(
Any help in pointing me in the direction where I can do a better job to
troubleshoot this is most welcome.
Right now my brain is stuck in a re-boot cycle.
-B
--
View this message in context:
http://www.nabble.com/false-positive---logwatch-report-marked-as-virus-RB-2041-tf4863262.html#a13917052
Sent from the clamav-users mailing list archive at Nabble.com.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html
