Hi there,
given is a simple AMaViSd-setup, utilizing the free scanner from Sophos without SAVDI. ClamAV is disabled in the AMaViSd-configuration.
Manual scan works:
---
# sweep -nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef -idedir=/opt/sophos-av/lib/sav --no-reset-atime ./
>>> Virus 'Troj/DocDl-HAW' found in file ./1490084101.M450955P26970V000000000000CA02I0000000000022B1D_60.mail-lsd-is,S=93763:2,S/PROJECT.gz/PROJECT.doc
>>> Virus 'Troj/DocDl-HAW' found in file ./1490084050.M224845P26970V000000000000CA02I0000000000022A6C_26.mail-lsd-is,S=93568:2,S/New.gz/New.doc
---
But this AMaViSd-based configuration does not find the above viruses:
---
@av_scanners = (
['Sophos Anti Virus (sweep)', '/usr/local/bin/sweep', '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef -idedir=/opt/sophos-av/lib/sav --no-reset-atime {}', [0,2], qr/Virus .*? found/m, qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m ]
);
---
The exact same command line options were used.
Surprisingly a MIME-embedded EICAR attachment is found using AMaViSd without any problems.
Conclusion 1: Sophos's engine can unpack the MIME and archive, detect and even recognize the virus.
Conclusion 2: AMaViSd works properly, since MIME-embedded EICAR attachment was found.
Conclusion 3: The Sophos 'sweep' is utilized, since nothing else is active in AMaViSd.
So, why the real virus is not being detected using AMaViSd?
Thanks!
Regards
Manuel
This thread was automatically locked due to age.