eTrust Inoculate

Tony Johansson tony.johansson at SVENSKAKYRKAN.SE
Wed Jun 11 15:25:49 IST 2003 

I have problems getting eTrust inoculate to work with MailScanner.

Details:

eTrust version: eTrust Antivirus for Linux (Build 1892) (from the eTrust
AntiVirus version 7 CD)
Os: Red Hat 7.3 with default sendmail
MailScanner: 4.21-9

Virus scanner in MailScanner.conf is set to f-prot and inoculate. F-prot
finds viruses, inoculate does not and theres nothing in the maillog about
inoculate.

incoulate-wrapper DOES work however, see following output:

"[root at localhost viruses]# /usr/lib/MailScanner/inoculate-wrapper .
File /tmp/viruses/./BUG.0LL is infected by virus: Win32/Bugbear.Worm
File /tmp/viruses/./BUGBEAR.0OM is infected by virus: Win32/Bugbear.Worm
File /tmp/viruses/./klez.0OM is infected by virus: Win32/Klez.H.Worm
File /tmp/viruses/./sircam.0OM is infected by virus: Win32/SirCam.Worm

Total Files Scanned:             8
Total Viruses Found:             4
Total Infected Files Found:      4
Scan Mode:                       Secure

*** End Of Summary *** "


Version info and options of inocmd32:

[root at localhost MailScanner]# inocmd32

InoculateIT Engine version:                 23.61.00    2003/04/08
InoculateIT Signature version:  virsig.da0  23.61.46    2003/06/10

   Usage:inocmd32 [ -options ] file|directory|drive ...
-options:
        : ENG <engine>
              <engine>  can be one of: Ino or Vet
        : MOD <mod>  Scan mode
              <mod>  can be one of: Secure or Reviewer (default Secure)
        : ACT <action>  Infected file action
              <action>  can be one of: Cure, Rename, Delete or Move
        : EXE  Specified files
               (based on the 'Specified' extension list)
        : EXC  Exclude files
               (based on the 'Exclude' extension list)
        : ARC  Scan archive files
        : NEX  Detect compressed files by content, not file extension
        : NOS  No subdirectory traverse
        : FIL:<pattern>  Only scan files that match <pattern> (shell
wildcard)
        : SCA <action>  Special Cure Action (ACT must be set to Cure)
              <action> can be one of: CB (Copy Before), DT (Delete Trojan),
                RF (Rename if cure fails) or MF (Move if cure fails)
        : MCA <action>  Macro Cure Action
              <action> can be either: RA (remove all) or RI (remove
infected)
        : SPM <mode>  Special Mode
              <mode> can only be: H (heuristics)
        : SFI  Stop at first infection in archive
        : SRF  Skip regular file scanning of archives
        : LIS:<file>  Create scan report file <file>
        : APP:<file>  Append scan report to file <file>
        : UNI  / is directory separator rather than switch introducer
        : VER  Verbose mode
        : COU:<n>  Message every <n> scanned files
        : COU  Message every 1000 scanned files
        : SIG  Display signature version numbers
        : SIG:<dir>  Display signature version numbers of
                     engine located in <dir>
        : HEL or ?  Display this help
file|directory|drive ...: Specify at least one file, directory or drive to
scan



regards, Tony

More information about the MailScanner mailing list