Problem with ClamAV...

Walker Aumann walkera-mailscanner at OFB.NET
Thu Feb 27 18:34:45 GMT 2003 

"Spicer, Kevin" wrote:
> > There is a /tmp/ClamAVBusy.lock file.  I'm only using one MailScanner=20
> > child, and that's the process with the lock.  It is being=20
> > processed, but=20
> > for some reason, the virus signature isn't raising a warning=20
> > with either=20
> > sophos or clamav.
> >=20
>
> I know for a fact this work with both sophos and clam (thats one of my setu=
> ps)
>
> I'd guess you may have one of the following problems...
> 1) Old sendmail processes still running, so that messages aren't being pass=
> ed through MS...  stop MS, kill any sendmail processes that are running the=
> n start MS.  You can see if MS touches your mail because it will add variou=
> s X-MailScanner headers [don't look at this one though - you'll see my MS h=
> eaders!]

Yes, the headers are indeed being added.

> 2) If you're running EXIM maybe you've got a permissions issue preventing t=
> he MailScanner user from running the scanners?

Nope,  Sendmail.

> 3) Make sure you've got
>
> Virus Scanning =3D yes
>
>       and
>
> Virus Scanners =3D sophos clamav
>
> in MailScanner.conf (then restart!)

Yup, that's what was there, as well as the Minimum Code Status =
unsupported option.

> 4) Some other random misconfiguration, check the maillog for any messages w=
> hen MS starts

Yes, it's a misconfiguration somewhere, but I see no error messages.

> I also noticed from your message's headers that several of the machines at =
> your end run Postfix (although 1 was sendmail) - its a long shot but are yo=
> u sure you've not got  postfix already running on your MS machine (this wou=
> ld prevent sendmail from binding to the port & therefore mail wouldn't be s=
> canned)

Postfix is running on the mail server (seamail), but that's only after it
goes
through the MailScanner machine (gw-sea), which is using two sendmail
processes.

What I'm hoping for at this point is verbose output from the virus
scanners MailScanner is running so I can see if this is MailScanner
misparsing something (unlikely) or the individual virus scanners (much
more likely).  For example, while testing for Eicar with Sophos, I found...

[root at gw-sea test]# ls -l
total 12
- -rw-r--r--    1 root     root          799 Feb 26 16:52 t1
- -rw-r--r--    1 root     root         2060 Feb 26 16:52 t2
- -rw-------    1 root     root           69 Feb 27 09:40 t3
[root at gw-sea test]# sweep -ss .
>>> Virus 'EICAR-AV-Test' found in file ./t3
[root at gw-sea test]# tail -1 t1 > t4
[root at gw-sea test]# sweep -ss .
>>> Virus 'EICAR-AV-Test' found in file ./t3
>>> Virus 'EICAR-AV-Test' found in file ./t4
[root at gw-sea test]#

Walker

More information about the MailScanner mailing list