Problems with F-secure and MS

Carl Boberg carl.boberg at NRM.SE
Wed May 7 15:47:41 IST 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Still,
Im missing the postmaster notification mail? (In my config an alias
called mailscanner who gets all virus/bad filename reports)...

/ Carl

>-----Original Message-----
>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>Behalf Of Carl Boberg
>Sent: Wednesday, May 07, 2003 16:39
>To: MAILSCANNER at JISCMAIL.AC.UK
>Subject: Re: Problems with F-secure and MS
>
>
> 
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Thanks!
>It seems to be working now. What was this problem and how did it
>arise?
>
>May  7 16:36:55 smtp MailScanner[23677]: New Batch: Scanning 1
>messages, 33216 bytes
>May  7 16:36:55 smtp MailScanner[23677]: Spam Checks: Starting
>May  7 16:36:56 smtp MailScanner[23677]: Virus and Content Scanning:
>Starting
>May  7 16:36:56 smtp MailScanner[23677]:
>./h47Eat2r023690/joke.ex_^Iinfection: W32/Hybris.worm.B
>May  7 16:36:56 smtp MailScanner[23677]: Virus Scanning: F-Secure
>found virus W32/Hybris.worm.B
>May  7 16:36:56 smtp MailScanner[23677]: Virus Scanning: F-Secure
>found 1 infections
>May  7 16:36:56 smtp MailScanner[23677]: Virus Scanning: Found 1
>viruses
>May  7 16:36:56 smtp MailScanner[23677]: Saved infected "joke.ex_"
>to /var/spool/MailScanner/quarantine/20030507/h47Eat2r023690
>May  7 16:36:56 smtp MailScanner[23677]: Cleaned: Delivered 1
>cleaned messages
>
>/ carl
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Julian Field
>>Sent: Wednesday, May 07, 2003 15:23
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Problems with F-secure and MS
>>
>>
>>Please apply this patch to SweepViruses.pm and try it again for me:
>>
>>--- SweepViruses.pm     2003-05-03 11:10:03.000000000 +0100
>>+++ SweepViruses.pm.new 2003-05-07 14:23:13.000000000 +0100
>>@@ -1190,7 +1190,8 @@
>>    #system("echo -n '$line' | od -c");
>>
>>    # Lose header
>>-  if ($fsecure_InHeader < 0 && $line =~ /version ([\d.]+)/i) {
>>+  if ($fsecure_InHeader < 0 && $line =~ /version ([\d.]+)/i &&
>>+      !$fsecure_Version) {
>>      $fsecure_Version = $1 + 0.0;
>>      #MailScanner::Log::InfoLog("Found F-Secure version
>>$1=$fsecure_Version\n");
>>      return 0;
>>
>>
>>At 14:04 07/05/2003, you wrote:
>>>
>>>-----BEGIN PGP SIGNED MESSAGE-----
>>>Hash: SHA1
>>>
>>>Are theese sufficient?
>>>
>>>May  7 15:02:22 smtp MailScanner[19448]: New Batch: Scanning 1
>>>messages, 33216 bytes
>>>May  7 15:02:22 smtp MailScanner[19448]: Spam Checks: Starting
>>>May  7 15:02:22 smtp MailScanner[19448]: Virus and Content
>>>Scanning: Starting
>>>May  7 15:02:22 smtp MailScanner[19448]: Found F-Secure version
>>>3.11=3.11
>>>May  7 15:02:22 smtp MailScanner[19448]: Found F-Secure version
>>>2003=2003
>>>May  7 15:02:22 smtp last message repeated 2 times
>>>May  7 15:02:22 smtp MailScanner[19448]:
>>>./h47D2Ltq019476/joke.ex_^Iinfection: W32/Hybris.worm.B
>>>May  7 15:02:22 smtp MailScanner[19448]: Uninfected: Delivered 1
>>>messages
>>>
>>>/ Carl
>>>
>>> >-----Original Message-----
>>> >From: MailScanner mailing list
>>> >[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Julian Field
>>> >Sent: Wednesday, May 07, 2003 14:48
>>> >To: MAILSCANNER at JISCMAIL.AC.UK
>>> >Subject: Re: Problems with F-secure and MS
>>> >
>>> >
>>> >In SweepViruses.pm (/usr/lib/MailScanner/MailScanner), you will
>>> >find a function ProcessFSecureOutput. In there, just after a
>>> >"Lose
>>> >header"
>>> >comment, they will be a line commented out that logs the version
>>> >number. Please remove the # from the start of that line, then
>>> >restart MailScanner and run an infected message through it. What
>>> >did it log?
>>> >
>>> >At 13:31 07/05/2003, you wrote:
>>> >>
>>> >>-----BEGIN PGP SIGNED MESSAGE-----
>>> >>Hash: SHA1
>>> >>
>>> >>I found this in the maillog:
>>> >>
>>> >>May  7 11:47:38 smtp MailScanner[5306]:
>>> >>./h479lamb007627/joke.ex_^Iinfection: W32/Hybris.worm.B
>>> >>11:40:18 sm7:38 smtp MailScanner[5306]: Uninfected: Delivered 1
>>> >>messages
>>> >>
>>> >>WHAT! It says it is uninfected and delivers as ususal, but has
>>> >>found an infection?
>>> >>
>>> >>Im confused to what might be the problem here...
>>> >>
>>> >>/ Carl
>>> >>
>>> >> >-----Original Message-----
>>> >> >From: MailScanner mailing list
>>> >> >[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Carl Boberg
>>> >> >Sent: Wednesday, May 07, 2003 14:05
>>> >> >To: MAILSCANNER at JISCMAIL.AC.UK
>>> >> >Subject: Problems with F-secure and MS
>>> >> >
>>> >> >
>>> >> >
>>> >> >-----BEGIN PGP SIGNED MESSAGE-----
>>> >> >Hash: SHA1
>>> >> >
>>> >> >Hi,
>>> >> >I have recently noticed that my f-secure ver. 4.15 on linux
>>> >> >is not working with MS
>>> >> >anymore... It isnt scanning viruses. I have tested it with
>>> >> >eicar and a real virus.
>>> >> >Nothing happens! It just passes through.
>>> >> >
>>> >> >It has been working quite well. I think it might have stopped
>>> >> >when i uppgraded to
>>> >> >the MS version before last, 4.15 something... I have now
>>> >> >uppgraded to 4.20 but still
>>> >> >no function.
>>> >> >
>>> >> >I have checked the config and cant see anything strange. I
>>> >> >checked the wrapper script
>>> >> >and commented out the check for f-secure 4.50. I tested the
>>> >> >wrapper-script:
>>> >> >
>>> >> >./f-secure-wrapper virus.file
>>> >> >
>>> >> >and that works. But it doesnt work when I send email through
>>> >> >MS...
>>> >> >
>>> >> >Any idea what this might bee? I am now running latest sophos
>>> >> >beta AND f-secure, in that
>>> >> >order. Headers in mail with virus says:
>>> >> >
>>> >> >X-MailScanner: Found to be infected, Found to be clean
>>> >> >
>>> >> >Would really appreciate som help on this one :-)
>>> >> >
>>> >> >Best regards
>>> >> >- ---------------------------------
>>> >> >Carl Boberg
>>> >> >System & Network Administrator
>>> >> >Dept. of Information Technology
>>> >> >Swedish Museum of Natural History
>>> >> >Frescativ. 40
>>> >> >104 05 Stockholm
>>> >> >carl.boberg at nrm.se
>>> >> >Phone: 08-519 551 16
>>> >> >Mobile: 0701-82 40 55
>>> >> >- ---------------------------------
>>> >> >
>>> >> >-----BEGIN PGP SIGNATURE-----
>>> >> >Version: PGPfreeware 7.0.3 for non-commercial use
>>> >> ><http://www.pgp.com>
>>> >> >
>>> >> >iQA/AwUBPrj2hOi5vtTaHS+IEQLcKQCgwtqVS1k9Nld8HXZYI5nq5TKTgzsAn1
>>> >> >5 f Bk36uVPBg7cF9jgCEGKBRW/A
>>> >> >=XJbq
>>> >> >-----END PGP SIGNATURE-----
>>> >>
>>> >>-----BEGIN PGP SIGNATURE-----
>>> >>Version: PGPfreeware 7.0.3 for non-commercial use
>>> >><http://www.pgp.com>
>>> >>
>>> >>iQA/AwUBPrj8lOi5vtTaHS+IEQKy1wCfaW0Zs3G83aWfrMFeYqQ4cIYku8oAoMaU
>>> >>Eu/Ybp4j0uofC5vq/yWwJnAO
>>> >>=E1IX
>>> >>-----END PGP SIGNATURE-----
>>> >
>>> >--
>>> >Julian Field
>>> >www.MailScanner.info
>>> >MailScanner thanks transtec Computers for their support
>>>
>>>-----BEGIN PGP SIGNATURE-----
>>>Version: PGPfreeware 7.0.3 for non-commercial use
>>><http://www.pgp.com>  
>>>
>>>iQA/AwUBPrkERui5vtTaHS+IEQI1+wCgjBpAlCwh8Skzn1q/VUvOtsWprogAoO4E
>>>vVf1HiDAritxlDdJ/OITC/uT
>>>=2a9b
>>>-----END PGP SIGNATURE-----
>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use
><http://www.pgp.com>  
>
>iQA/AwUBPrkac+i5vtTaHS+IEQLSlwCfd2ug16Y0/p65I3P9HiFT5lrp9+AAoNv3
>eyajp/3NzpWHrKMaeCm9kQAM
>=b6hk
>-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPrkciOi5vtTaHS+IEQIpAQCgshpzjR+P/W1akNIEH8FY37IZtBAAnizS
qadHf+1Xb3D/NJunPm8UN/qk
=XJXM
-----END PGP SIGNATURE-----




More information about the MailScanner mailing list