Sophos "sweep" problem - a funny thing happended...

Julian Field mailscanner at ecs.soton.ac.uk
Fri Apr 18 20:50:05 IST 2003 

If you are running MailScanner version 4, don't use any of the old version 3
scripts that you still might have lying around in /usr/local/Sophos. The
supporting scripts in version 4 are all in /usr/lib/MailScanner. You are
looking for
    sophos-wrapper
and sophos-autoupdate

Sophos recently changed the structure of their virus pattern library, and
this new layout is only recognised by the version 4 sophos-autoupdate
script, not by the old version 3 script.

If you are still running MailScanner 3, then download the tarball of
MailScanner 4 and pull the sophos-autoupdate script out of it. It will
almost certainly work just fine with MailScanner 3 :-)

> On Thursday, April 17, 2003, at 05:13  AM, Quentin Campbell wrote:
>
> > Upgraded the Sophos stuff on our Linux boxes yesterday afternoon from
> > the Sophos April CD. Installed a later libsavi (libsavi.so.3.2.05.033)
> > into /usr/local/Sophos/lib but noticed it also replaced "sweep" in
> > /usr/local/Sophos/bin.
> >
> > All seemed to be working well afterwards with viruses being detected up
> > until 04:00 today.
> >
> > At 04:00 the Sophos autoupdate script ran to update the IDE files, etc.
> >> From that point on whenever "/usr/local/Sophos/bin/sophoswrapper" ran
> >> it
> > gave "Error initialising detection engine - missing part of virus
> > data".
> >
> > Invoked the "autoupdate" script again which appears to run OK. The
> > files
> > under /usr/local/Sophos/* appeared to be updated OK again but the error
> > still appeared.
> >
> > However noticed that when I invoked "sweep" directly on a file it works
> > OK. That is:
> >
> >  ./sweep /tmp/eicar.com     # OK
> >
> >  ./sophoswrapper /tmp/eicar.com  # Error initialising detection ...
> >
> > So modified "sophoswrapper" as follows ( added #TMP#) so that "sweep"
> > is
> > run without the $SAV_IDE and $LD_LIBRARY_PATH environment variables
> > being set - "sophoswrapper" is now working OK.
> >
> > Can anyone suggest why the new "sweep" suddenly started behaving
> > differently after the 04:00 IDE update?
> >
> > ------------------------------ cut here
> > (/usr/local/Sophos/bin/sophoswrapper)
> > PackageDir=/usr/local/Sophos
> > prog=sweep # `basename $0`
> >
> > #TMP#SAV_IDE=$PackageDir/ide
> > #TMP#LD_LIBRARY_PATH=$PackageDir/lib
> > #TMP#export SAV_IDE
> > #TMP#export LD_LIBRARY_PATH
> >
> > exec ${PackageDir}/bin/$prog "$@"
> > ------------------------------ cut here

More information about the MailScanner mailing list