Hmm, looks like there is one single variable containing the last detected virus name and several threads writing to and reading from this variable...
Markus > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Darrell > ([EMAIL PROTECTED]) > Sent: Friday, October 28, 2005 6:44 PM > To: [email protected] > Subject: Re: [Declude.Virus] Virus name reported as different > than what scanner detected. > > A little more checking and this seems to be happening on any > message infected with a virus.... Possible bug... > > Running 3.x, AVAFTERJM, with EXITSCANONVIRUSDETECT ON > > 10/28/2005 00:39:56.359 qab8ff7a40618ffdf.smd File(s) are INFECTED [ > W32/[EMAIL PROTECTED]: 3] > 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Virus scanner 1 > reports exit code of 3 > 10/28/2005 00:41:47.968 qabfaf7c50618004e.smd Scanner 1: > Virus= W32/[EMAIL PROTECTED] Attachment=email-details.zip [11] O > 10/28/2005 00:41:47.984 qabfaf7c50618004e.smd File(s) are INFECTED [ > W32/[EMAIL PROTECTED]: 3] > 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd Scanner 1: > Virus= W32/[EMAIL PROTECTED] Attachment=email-password.zip [11] O > 10/28/2005 00:56:05.015 qaf506d06099e03ac.smd File(s) are INFECTED [ > W32/[EMAIL PROTECTED]: 3] > > > Darrell ([EMAIL PROTECTED]) writes: > > > Anyone seen this before? The message (attachment) have the > W97M/Thus > > Virus and is detected by McAfee as having such, but the final virus > > string somehow ends up at Netsky? > > > > Darrell > > > > x:\imail\spool>grep -i q41c378d5099ed6c9.smd vir1028.log > > 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd Vulnerability > flags = 0 > > 10/28/2005 11:21:09.718 q41c378d5099ed6c9.smd MIME file: HD > New Look > > list.doc [base64; Length=59 > > 904 Checksum=2996157] > > 10/28/2005 11:21:10.750 q41c378d5099ed6c9.smd Virus scanner > 1 reports > > exit code of 0 > > 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Virus scanner > 2 reports > > exit code of 13 > > 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd Scanner 2: Virus= the > > W97M/Thus.gen Attachment=HD New Look List.doc [11] I > > 10/28/2005 11:21:11.359 q41c378d5099ed6c9.smd File(s) are INFECTED [ > > W32/[EMAIL PROTECTED]: 13] > > 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Scanned: CONTAINS A > > VIRUS > > [MIME: 2 60102] > > 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd From: > > [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] [ > > incoming from 64.207.161.182] > > 10/28/2005 11:21:32.796 q41c378d5099ed6c9.smd Subject: Here we go > > Again - Proposal > > > > > > > > > ---------------------------------------------------------------------- > > -- Check out http://www.invariantsystems.com for utilities > for Declude > > And Imail. IMail/Declude Overflow Queue Monitoring, SURBL/URI > > integration, MRTG Integration, and Log Parsers. > > > > > > > > > -------------------------------------------------------------- > ---------- > Check out http://www.invariantsystems.com for utilities for > Declude And Imail. IMail/Declude Overflow Queue Monitoring, > SURBL/URI integration, MRTG Integration, and Log Parsers. > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
