debug of virus scanner conversation

Scott Farrell sfarrell at ICCONSULTING.COM.AU
Sat Dec 15 23:03:05 GMT 2001


Just an update.

Below are succesfull and failed scanning logs. You'll notice the
successgul one takes about 2 seconds, and the failed one is instant with
no logging.

Restarting mailscanner fixes the problem, but it eventually re-occurs.

Any Ideas?

Here is my log from the failed scanning :

Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock
/var/spool/mqueue.in/qffBFLsMd10664
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock
>/var/spool/MailScanner/incoming/fBFLsMd10664.header
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Scanning 1 messages,
1205 bytes
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Going to scan 1 messages
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Commencing scanning...
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Completed scanning
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Scanned 1 messages, 1205
bytes in 0 seconds
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: Using flock() to lock
>/var/spool/mqueue/tffBFLsMd10664
Dec 16 08:54:52 icconsulting3 mailscanner[10542]: About to deliver 1
messages

Here is my log from a successful scanning :

Dec 16 00:43:30 icconsulting3 mailscanner[7897]: Using flock() to lock
>/var/spool/MailScanner/incoming/fBFDh5t07901.header
Dec 16 00:43:30 icconsulting3 mailscanner[7897]: Scanning 1 messages, 1205
bytes
Dec 16 00:43:31 icconsulting3 mailscanner[7897]: Going to scan 1 messages
Dec 16 00:43:31 icconsulting3 mailscanner[7897]: Commencing scanning...
Dec 16 00:43:33 icconsulting3 mailscanner[7897]:
----------/data/MailScanner/incoming/./fBFDh5t07901.header
Dec 16 00:43:33 icconsulting3 mailscanner[7897]:
----------/data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: File
/data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat is infected by
virus: EICAR test file
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: File
/data/MailScanner/incoming/./fBFDh5t07901/msg-7897-1.dat is infected by
virus: EICAR test file
Dec 16 00:43:33 icconsulting3 mailscanner[7897]:
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Files Scanned:  2
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Viruses Found:  1
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Infected Files
Found:  1
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Total Archives Scanned: 1
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Scan Mode:  Reviewer
Dec 16 00:43:33 icconsulting3 mailscanner[7897]:
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: *** End Of Summary ***
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Completed scanning
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Found 1 viruses in
messages fBFDh5t07901
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Scanned 1 messages, 1205
bytesin 2 seconds
Dec 16 00:43:33 icconsulting3 mailscanner[7897]: Saved infections to
/var/spool/MailScanner/quarantine/20011216/fBFDh5t07901


regards
Scott Farrell

http://www.icconsulting.com.au
ic Consulting - the people that make eBusiness happen.
We offer e-business consulting and perform services. We deliver high
impact consulting, and fast turn around projects for our clients.
Ask us about Web Content Management,  Web Self Service, or working closer
with your customers or suppliers.

0412 927 156,   02 9411 3622  mailto:sfarrell at icconsulting.com.au




Scott Farrell <sfarrell at ICCONSULTING.COM.AU>
Sent by: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
16/12/2001 12:31 AM
Please respond to MailScanner mailing list


        To:     MAILSCANNER at JISCMAIL.AC.UK
        cc:
        Subject:        Re: debug of virus scanner conversation

Thanks Jules ..... I used this instead, but thanks for your help, it
worked wonders ... now I have to wait until it fails again !!!!!:

Log::InfoLog("$_");

regards
Scott Farrell

http://www.icconsulting.com.au
ic Consulting - the people that make eBusiness happen.
We offer e-business consulting and perform services. We deliver high
impact consulting, and fast turn around projects for our clients.
Ask us about Web Content Management,  Web Self Service, or working closer
with your customers or suppliers.

0412 927 156,   02 9411 3622  mailto:sfarrell at icconsulting.com.au



Julian Field <jkf at ECS.SOTON.AC.UK>
Sent by: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
14/12/2001 07:10 PM
Please respond to MailScanner mailing list

        To:        MAILSCANNER at JISCMAIL.AC.UK
        cc:
        Subject:        Re: debug of virus scanner conversation

At 03:19 14/12/2001, you wrote:
>I suspect there is some OS error, or error with InoculateIT, or error
>somewhere. I would dearly like to output the conversion between
mailscanner
>and the commercial virus program. Is this possible?

Take a look in sweep.pl, at the TryCommercial function. There's a loop in
there that starts "while(<KID>) {" for each supported virus scanner. If
you
find the one you are using for InoculateIT and do  a "print STDERR "$_"
just inside the top of the loop, it will dump to STDERR all the output
from
the virus scanner.

Hope that helps!
--
Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                            Southampton SO17 1BJ



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20011216/cba7d013/attachment.html


More information about the MailScanner mailing list