On 2020-05-12 brunoc68 <bug...@abcreseau.com> wrote: > Le 11/05/2020 à 17:24, Andreas Metzler a écrit : [...] > > Are you positive you are testing this correctly?
> > swaks -s mail.server -f sender@address -t rcpt@adress --body 'X5O!P...' > > Replace X5O!P... with the full tests string from > > https://en.wikipedia.org/wiki/EICAR_test_file > Dear Andreas, > With the command line you suggested it is detected as virus. > As soon as I add text before and after the EICAR signature, it is not > detected anymore as virus. > So I tested again with Thunderbird as mail client : same. > Basically with the Eicar signature alone in the body, it is detected as > virus. > As soon as I add text on top of the Eicar signature, it passes through. > Is it normal behavior ? Hello Bruno, Exim passes the mail message unchanged as it is on to the virus scanner. If you sent the message with Thunderbird there might be some encoding on top (base64 or QP) instead of the literal string. It depends on the AV scanner and its configuration whether it will undo these steps before checking. clamscan on the mailbox file might be enlightening. cu Andreas
