• Error scanning more than one attach

    By Dario Alonso 2 decades ago

    I'm using clamav as virus scanner.

    When I send an eicar.zip alone the antivir erases the file correctly, but when I send a pdf and the eicar.zip the antivir says that it removes the file, but both of files arrives to the user.



    These are the logs

    ————————————————————————————————

    28/12/2005 17:32:31:

    28/12/2005 17:32:31: Start with new Note

    28/12/2005 17:32:31:

    28/12/2005 17:32:31: Mail with CD-part-Body found

    28/12/2005 17:32:31: Next Body to check for MIME

    28/12/2005 17:32:31: Checking for MimePart-Body ready:

    28/12/2005 17:32:31: mimenratt equals nratt

    28/12/2005 17:32:31: Found 2 Attachments

    28/12/2005 17:32:31: Scanning Attachment

    28/12/2005 17:32:31: length of szFileName: 256

    28/12/2005 17:32:31: Filename before: eicar.zip

    28/12/2005 17:32:31: Starting while

    28/12/2005 17:32:31: Filename_lower

    28/12/2005 17:32:31: BLOCKID ASCII not found for

    28/12/2005 17:32:31: Filename eicar.zip

    28/12/2005 17:32:31: Creating Directory C:\Lotus\Domino\Data\MailScan\2306

    28/12/2005 17:32:31: Cleaning directory C:\Lotus\Domino\Data\MailScan\2306

    28/12/2005 17:32:31: Extracting to C:\Lotus\Domino\Data\MailScan\2306\1 from eicar.zip

    28/12/2005 17:32:31: Starting scanner with command:

    28/12/2005 17:32:31: ""c:\archivos de programa\ClamWin\bin\clamscan.exe" –database="c:\Documents and settings\All users.clamwin\db" –recursive "C:\Lotus\Domino\Data\MailScan\2306\""

    28/12/2005 17:32:33: Returncode of virusscanner: 01

    28/12/2005 17:32:33: Processing returncode

    28/12/2005 17:32:33: Getting next attachment

    28/12/2005 17:32:33: Processing delete for returncode 01

    28/12/2005 17:32:33: reportswitch equal or smaller than one

    28/12/2005 17:32:33: Processing delete for returncode-index 01

    28/12/2005 17:32:33: Processing Notes-delete for returncode-index 01

    28/12/2005 17:32:33: Start of processDelete for CD (Notes)

    28/12/2005 17:32:33: Processing Bodies

    28/12/2005 17:32:33: Calling EnumCompositeBuffer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: SIG_CD_HOTSPOTBEGIN found

    28/12/2005 17:32:33: HOTSPOTREC_TYPE_FILE found

    28/12/2005 17:32:33: found length one: 009

    28/12/2005 17:32:33: attachment filename: eicar.zip

    28/12/2005 17:32:33: found file - length two: 009

    28/12/2005 17:32:33: original filename: eicar.zip

    28/12/2005 17:32:33: written text: Fichero con Virus eliminado eicar.zip

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: End of SIG_CD_HOTSPOT found

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: SIG_CD_HOTSPOTBEGIN found

    28/12/2005 17:32:33: HOTSPOTREC_TYPE_FILE found

    28/12/2005 17:32:33: found length one: 020

    28/12/2005 17:32:33: attachment filename: Dise_o_formativo.doc

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: Advancing pointer by one

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: ProcessOneCDRecord

    28/12/2005 17:32:33: Advancing pointer

    28/12/2005 17:32:33: Ready with body-items

    28/12/2005 17:32:33: Deleting old Body-Items

    28/12/2005 17:32:33: Appending new Body-Items

    28/12/2005 17:32:33: Ready Appending new Body-Items

    28/12/2005 17:32:33: Remove-filecode 01

    28/12/2005 17:32:33: Remove-filecode 01

    28/12/2005 17:32:33: Not configured to send mail to originator

    28/12/2005 17:32:33: Moving Attachment eicar.zip

    28/12/2005 17:32:33: New Mail From: CN=Administrador_O=vmware

    28/12/2005 17:32:33: filename length 081

    28/12/2005 17:32:33: New filename (part1) : C:\Lotus\Domino\Data\MailScan\quara

    28/12/2005 17:32:33: New filename (part2) : C:\Lotus\Domino\Data\MailScan\quara\CN=Administrador_O=vmware–2306–eicar.zip

    28/12/2005 17:32:33: Extracting attachment C:\Lotus\Domino\Data\MailScan\quara\CN=Administrador_O=vmware–2306–eicar.zip for returncode 01

    28/12/2005 17:32:33: Removing Attachment eicar.zip from mail for returncode 01

    28/12/2005 17:32:33: Scanning Attachment

    28/12/2005 17:32:33: length of szFileName: 256

    28/12/2005 17:32:33: Filename before: Dise_o_formativo.doc

    28/12/2005 17:32:33: Starting while

    28/12/2005 17:32:33: Filename_lower eicar.zip

    28/12/2005 17:32:33: BLOCKID ASCII not found for

    28/12/2005 17:32:33: Filename Dise_o_formativo.doc

    28/12/2005 17:32:33: Creating Directory C:\Lotus\Domino\Data\MailScan\2306

    28/12/2005 17:32:33: Cleaning directory C:\Lotus\Domino\Data\MailScan\2306

    28/12/2005 17:32:33: Extracting to C:\Lotus\Domino\Data\MailScan\2306\2 from Dise_o_formativo.doc

    28/12/2005 17:32:34: Starting scanner with command:

    28/12/2005 17:32:34: ""c:\archivos de programa\ClamWin\bin\clamscan.exe" –database="c:\Documents and settings\All users.clamwin\db" –recursive "C:\Lotus\Domino\Data\MailScan\2306\""

    28/12/2005 17:32:35: Returncode of virusscanner: 00

    28/12/2005 17:32:35: Processing returncode

    28/12/2005 17:32:35: Getting next attachment

    28/12/2005 17:32:35: Processing delete for returncode 00

    28/12/2005 17:32:35: Attachments ready

    28/12/2005 17:32:35: Start of processRC

    28/12/2005 17:32:35: Manipulating Subject by adding for rc00 before=01

    28/12/2005 17:32:35: MimePart. Boundary

    28/12/2005 17:32:35: Not Manipulating. Text is empty for rc00

    28/12/2005 17:32:35: Removing directory C:\Lotus\Domino\Data\MailScan\2306

    28/12/2005 17:32:35: directory C:\Lotus\Domino\Data\MailScan\2306 removed

    28/12/2005 17:32:35: Updating note

    28/12/2005 17:32:35:

    28/12/2005 17:32:35: processNote ready

    28/12/2005 17:32:35:

    ————————————————————————————————



    And this is the configuration I use:

    commandline = c:\archivos de programa\clamwin\bin\clamscan.exe

    parameters = –database="c:\documents and settings\all users.clamwin\db" –recursive





    returncode=0

    text=""

    text before subject = yes

    delete attachment = no



    returncode=1

    text=VIRUS FOUND

    text before subject = yes

    delete attachment= yes - rename in filesystem