Rav Anti Virus

Joseph Watson jtwatson at datakota.com
Tue Aug 5 23:58:37 IST 2003 

On Tuesday August 5 2003 02:07 am, you wrote:
> Do you get anything in the logs? If so, what?

The only thing that shows up is the normal

MailScanner[24973]: Virus and Content Scanning: Starting
MailScanner[24973]: Uninfected: Delivered 1 messages
MailScanner[24972]: New Batch: Scanning 1 messages, 6245 bytes
MailScanner[24972]: Spam Checks: Found 1 spam messages
MailScanner[24972]: Virus and Content Scanning: Starting
MailScanner[24972]: Uninfected: Delivered 1 messages

Nothing in error or warning logs.

> Did you install RAV in its default location? If not, you will need to tell
> MailScanner the path in /usr/lib/MailScanner/rav-wrapper and
> /usr/lib/MailScanner/rav-autoupdate.

I installed from a rpm provided by Rav AntiVirus:

/usr/local/bin/ravav -> /usr/local/rav8/bin/ravav

Here is what I think is the root of the problem:

[root at ns]# /usr/lib/MailScanner/rav-wrapper --all --mail --archive /tmp

RAV AntiVirus command line for Linux i686.
Version: 8.3.1.
Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved.

Scan engine 8.11 for i386.
Last update: Tue Aug  5 09:11:08 2003
Scanning for 80318 malwares (viruses, trojans and worms).

Scan started on Tue Aug  5 17:34:11 2003

/tmp/80.->(part0001:bad_virus.zip)->bad_virus.txt Infected: Win32/Hybris.D at mm

Scan ended on Tue Aug  5 17:34:11 2003

Scan results:
Time: 0 second(s).
Objects scanned: 17. New objects: 17
Infected: 1. Different virus bodies: 1.
Files: 14. Directories: 14. Archives: 1. Packed: 0. Mail files: 1.
Warnings: 0.
[root at ns]# echo $?
0
[root at ns]#

For some reason the wrapper does not return the correct return status.  It
should return "2".  See below

[root at ns]# ravav --all --mail --archive /tmp
RAV AntiVirus command line for Linux i686.
Version: 8.3.1.
Copyright (c) 1996-2001 GeCAD The Software Company. All rights reserved.
Searching for the engine in '/usr/local/rav8'...
Registered version.

Scan engine 8.11 for i386.
Last update: Tue Aug  5 09:11:08 2003
Scanning for 80318 malwares (viruses, trojans and worms).

Scanning with following configuration:
 * checking all files!
 * checking inside archive files!
 * also checking mail files!
 * heuristic scanning is activated!
 * integrity check is enabled!
 * don't use report file!

/tmp/80.->(part0001:bad_virus.zip)->bad_virus.txt  Infected: Win32/Hybris.D at mm

Scan results:
Time: 0 second(s).
Objects scanned: 17. New objects: 17
Infected: 1. Different virus bodies: 1.
Files: 14. Directories: 14. Archives: 1. Packed: 0. Mail files: 1.
Warnings: 0.
[root at ns]# echo $?
2
[root at ns]#

If I modify the wrapper to always return 2, MailScanner still does not detect
a virus.  It seems that if the wrapper always returns 2, every message should
trigger a warning.  Am I right?

So it appears that there is also something wrong in the code in MailScanner
that is specific to Rav.  It looks to me that it may be in SweepViruses.pm,
but I haven't been able to figure it out yet.  Maybe someone out there can
point me in the right direction, or give me some pointers to figuring this
out.

--
Regards

Joseph Watson

More information about the MailScanner mailing list