Problems with F-secure and MS
Julian Field
mailscanner at ecs.soton.ac.uk
Wed May 7 15:51:17 IST 2003
At 15:38 07/05/2003, you wrote:
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Thanks!
>It seems to be working now. What was this problem and how did it
>arise?
It was a bug in my code for detecting whether you had version 4.50
installed or not. 4.50 has a completely different output from previous
versions.
>May 7 16:36:55 smtp MailScanner[23677]: New Batch: Scanning 1
>messages, 33216 bytes
>May 7 16:36:55 smtp MailScanner[23677]: Spam Checks: Starting
>May 7 16:36:56 smtp MailScanner[23677]: Virus and Content Scanning:
>Starting
>May 7 16:36:56 smtp MailScanner[23677]:
>./h47Eat2r023690/joke.ex_^Iinfection: W32/Hybris.worm.B
>May 7 16:36:56 smtp MailScanner[23677]: Virus Scanning: F-Secure
>found virus W32/Hybris.worm.B
>May 7 16:36:56 smtp MailScanner[23677]: Virus Scanning: F-Secure
>found 1 infections
>May 7 16:36:56 smtp MailScanner[23677]: Virus Scanning: Found 1
>viruses
>May 7 16:36:56 smtp MailScanner[23677]: Saved infected "joke.ex_" to
>/var/spool/MailScanner/quarantine/20030507/h47Eat2r023690
>May 7 16:36:56 smtp MailScanner[23677]: Cleaned: Delivered 1 cleaned
>messages
>
>/ carl
>
> >-----Original Message-----
> >From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> >Behalf Of Julian Field
> >Sent: Wednesday, May 07, 2003 15:23
> >To: MAILSCANNER at JISCMAIL.AC.UK
> >Subject: Re: Problems with F-secure and MS
> >
> >
> >Please apply this patch to SweepViruses.pm and try it again for me:
> >
> >--- SweepViruses.pm 2003-05-03 11:10:03.000000000 +0100
> >+++ SweepViruses.pm.new 2003-05-07 14:23:13.000000000 +0100
> >@@ -1190,7 +1190,8 @@
> > #system("echo -n '$line' | od -c");
> >
> > # Lose header
> >- if ($fsecure_InHeader < 0 && $line =~ /version ([\d.]+)/i) {
> >+ if ($fsecure_InHeader < 0 && $line =~ /version ([\d.]+)/i &&
> >+ !$fsecure_Version) {
> > $fsecure_Version = $1 + 0.0;
> > #MailScanner::Log::InfoLog("Found F-Secure version
> >$1=$fsecure_Version\n");
> > return 0;
> >
> >
> >At 14:04 07/05/2003, you wrote:
> >>
> >>-----BEGIN PGP SIGNED MESSAGE-----
> >>Hash: SHA1
> >>
> >>Are theese sufficient?
> >>
> >>May 7 15:02:22 smtp MailScanner[19448]: New Batch: Scanning 1
> >>messages, 33216 bytes
> >>May 7 15:02:22 smtp MailScanner[19448]: Spam Checks: Starting
> >>May 7 15:02:22 smtp MailScanner[19448]: Virus and Content
> >>Scanning: Starting
> >>May 7 15:02:22 smtp MailScanner[19448]: Found F-Secure version
> >>3.11=3.11
> >>May 7 15:02:22 smtp MailScanner[19448]: Found F-Secure version
> >>2003=2003
> >>May 7 15:02:22 smtp last message repeated 2 times
> >>May 7 15:02:22 smtp MailScanner[19448]:
> >>./h47D2Ltq019476/joke.ex_^Iinfection: W32/Hybris.worm.B
> >>May 7 15:02:22 smtp MailScanner[19448]: Uninfected: Delivered 1
> >>messages
> >>
> >>/ Carl
> >>
> >> >-----Original Message-----
> >> >From: MailScanner mailing list
> >> >[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Julian Field
> >> >Sent: Wednesday, May 07, 2003 14:48
> >> >To: MAILSCANNER at JISCMAIL.AC.UK
> >> >Subject: Re: Problems with F-secure and MS
> >> >
> >> >
> >> >In SweepViruses.pm (/usr/lib/MailScanner/MailScanner), you will
> >> >find a function ProcessFSecureOutput. In there, just after a
> >> >"Lose
> >> >header"
> >> >comment, they will be a line commented out that logs the version
> >> >number. Please remove the # from the start of that line, then
> >> >restart MailScanner and run an infected message through it. What
> >> >did it log?
> >> >
> >> >At 13:31 07/05/2003, you wrote:
> >> >>
> >> >>-----BEGIN PGP SIGNED MESSAGE-----
> >> >>Hash: SHA1
> >> >>
> >> >>I found this in the maillog:
> >> >>
> >> >>May 7 11:47:38 smtp MailScanner[5306]:
> >> >>./h479lamb007627/joke.ex_^Iinfection: W32/Hybris.worm.B
> >> >>11:40:18 sm7:38 smtp MailScanner[5306]: Uninfected: Delivered 1
> >> >>messages
> >> >>
> >> >>WHAT! It says it is uninfected and delivers as ususal, but has
> >> >>found an infection?
> >> >>
> >> >>Im confused to what might be the problem here...
> >> >>
> >> >>/ Carl
> >> >>
> >> >> >-----Original Message-----
> >> >> >From: MailScanner mailing list
> >> >> >[mailto:MAILSCANNER at JISCMAIL.AC.UK]On Behalf Of Carl Boberg
> >> >> >Sent: Wednesday, May 07, 2003 14:05
> >> >> >To: MAILSCANNER at JISCMAIL.AC.UK
> >> >> >Subject: Problems with F-secure and MS
> >> >> >
> >> >> >
> >> >> >
> >> >> >-----BEGIN PGP SIGNED MESSAGE-----
> >> >> >Hash: SHA1
> >> >> >
> >> >> >Hi,
> >> >> >I have recently noticed that my f-secure ver. 4.15 on linux is
> >> >> >not working with MS
> >> >> >anymore... It isnt scanning viruses. I have tested it with
> >> >> >eicar and a real virus.
> >> >> >Nothing happens! It just passes through.
> >> >> >
> >> >> >It has been working quite well. I think it might have stopped
> >> >> >when i uppgraded to
> >> >> >the MS version before last, 4.15 something... I have now
> >> >> >uppgraded to 4.20 but still
> >> >> >no function.
> >> >> >
> >> >> >I have checked the config and cant see anything strange. I
> >> >> >checked the wrapper script
> >> >> >and commented out the check for f-secure 4.50. I tested the
> >> >> >wrapper-script:
> >> >> >
> >> >> >./f-secure-wrapper virus.file
> >> >> >
> >> >> >and that works. But it doesnt work when I send email through
> >> >> >MS...
> >> >> >
> >> >> >Any idea what this might bee? I am now running latest sophos
> >> >> >beta AND f-secure, in that
> >> >> >order. Headers in mail with virus says:
> >> >> >
> >> >> >X-MailScanner: Found to be infected, Found to be clean
> >> >> >
> >> >> >Would really appreciate som help on this one :-)
> >> >> >
> >> >> >Best regards
> >> >> >- ---------------------------------
> >> >> >Carl Boberg
> >> >> >System & Network Administrator
> >> >> >Dept. of Information Technology
> >> >> >Swedish Museum of Natural History
> >> >> >Frescativ. 40
> >> >> >104 05 Stockholm
> >> >> >carl.boberg at nrm.se
> >> >> >Phone: 08-519 551 16
> >> >> >Mobile: 0701-82 40 55
> >> >> >- ---------------------------------
> >> >> >
> >> >> >-----BEGIN PGP SIGNATURE-----
> >> >> >Version: PGPfreeware 7.0.3 for non-commercial use
> >> >> ><http://www.pgp.com>
> >> >> >
> >> >> >iQA/AwUBPrj2hOi5vtTaHS+IEQLcKQCgwtqVS1k9Nld8HXZYI5nq5TKTgzsAn15
> >> >> >f Bk36uVPBg7cF9jgCEGKBRW/A
> >> >> >=XJbq
> >> >> >-----END PGP SIGNATURE-----
> >> >>
> >> >>-----BEGIN PGP SIGNATURE-----
> >> >>Version: PGPfreeware 7.0.3 for non-commercial use
> >> >><http://www.pgp.com>
> >> >>
> >> >>iQA/AwUBPrj8lOi5vtTaHS+IEQKy1wCfaW0Zs3G83aWfrMFeYqQ4cIYku8oAoMaU
> >> >>Eu/Ybp4j0uofC5vq/yWwJnAO
> >> >>=E1IX
> >> >>-----END PGP SIGNATURE-----
> >> >
> >> >--
> >> >Julian Field
> >> >www.MailScanner.info
> >> >MailScanner thanks transtec Computers for their support
> >>
> >>-----BEGIN PGP SIGNATURE-----
> >>Version: PGPfreeware 7.0.3 for non-commercial use
> >><http://www.pgp.com>
> >>
> >>iQA/AwUBPrkERui5vtTaHS+IEQI1+wCgjBpAlCwh8Skzn1q/VUvOtsWprogAoO4E
> >>vVf1HiDAritxlDdJ/OITC/uT
> >>=2a9b
> >>-----END PGP SIGNATURE-----
> >
> >--
> >Julian Field
> >www.MailScanner.info
> >MailScanner thanks transtec Computers for their support
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBPrkac+i5vtTaHS+IEQLSlwCfd2ug16Y0/p65I3P9HiFT5lrp9+AAoNv3
>eyajp/3NzpWHrKMaeCm9kQAM
>=b6hk
>-----END PGP SIGNATURE-----
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list