Eicar Testing

Michael D. Wood mike at itsecuritypros.org
Fri Sep 7 12:00:30 CEST 2012

I just tested with mine to see if it would detect it from the body of the
e-mail and indeed it does.  This was done by placing the EICAR test string
in the body of the e-mail.   My setup is pretty much the same except I’m
using dovecot.


Things that are popping up in my head to check would be:


/etc/amavis/conf.d/15-content_filter_mode      ßmake sure amavis is set to
use clamav and spamassasin (disabled by default)


/etc/amavis/conf.d/15-av_scanners  ßmake sure clamd is configured here, also
check to make sure clamd is running


### http://www.clamav.net/


   \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd.ctl"],

   qr/\bOK$/m, qr/\bFOUND$/m,

   qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],


Here is the e-mail alerting me that I had sent out the malicious e-mail:



Our content checker found

    virus: Eicar-Test-Signature


in email presumably from you <mike at itsecuritypros.org> to the following

-> xxxxxxxx at gmail.com


Our internal reference code for your message is 13692-11/mMgsaVaBvzxz


First upstream SMTP client IP address: [] pfsense.xxxx.xxxx
According to a 'Received:' trace, the message originated at:

  michaellaptop pfsense.xxxxx.xxxxx [] Authenticated sender:

  mike at itsecuritypros.org


Return-Path: <mike at itsecuritypros.org>

From: "Michael D. Wood" <mike at itsecuritypros.org>

Message-ID: <00dc01cd8cdd$ab298b20$017ca160$@itsecuritypros.org>


Delivery of the email was stopped!


Please check your system for viruses,

or ask your system administrator to do so.



Michael D. Wood




From: amavis-users-bounces+mike=itsecuritypros.org at amavis.org
[mailto:amavis-users-bounces+mike=itsecuritypros.org at amavis.org] On Behalf
Of Jayanta Ghosh
Sent: Friday, September 07, 2012 5:36 AM
To: amavis-users at amavis.org
Subject: Eicar Testing


Dear List,


I have configured a mail server on RHEL 6.1(64 Bit) with the following

1. Postfix

2. Courier-authlib

3. Courier-imap

4. MySql

5. Maildrop

6. Spamassassin

7. Clamav

8. Amavis-new


     The mail server is functioning properly. But I was testing the
functionality of Amavis-new & Clamav. I was testing this by sending the
EICAR string. The issue is when I am sending the EICAR string in the body of
the email the Amavis is not detecting any virus pattern in it and eventually
the email is passed by Amavis. But when I am sending the same EICAR string
as an attachment (A text file containing the string ) then the Amavis is
blocking the mail from getting delivered. 


My query is do I need to change any of the settings in the clamd.conf or
amavisd.conf file, So that the EICAR string written in the body of the email
will be blocked by amavis. I am also attaching both the configuration


Kindly help.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/344ab181/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6139 bytes
Desc: not available
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20120907/344ab181/attachment.bin>

More information about the amavis-users mailing list