New install question - MailScanner-4.15-13 + McAfee virus scan - eicar test fails...sort of?`

Julian Field mailscanner at ecs.soton.ac.uk
Thu May 15 18:59:48 IST 2003


At 17:47 15/05/2003, you wrote:
>We've been using version MailScanner version 3 quite a while very
>successfully.  I'm building a new
>mail server, so I'm loading up the latest stuff... but it doesn't quite
>seem to work:
>
>When I send an email through the server with the eicar.com test, I get
>these messages:
>
>May 15 12:06:35 mail MailScanner[27539]: MailScanner E-Mail Virus Scanner
>version 4.15-13
>starting...
>May 15 12:06:35 mail MailScanner[27539]: Using locktype = flock
>May 15 12:07:05 mail MailScanner[27539]: New Batch: Scanning 1 messages,
>1401 bytes
>May 15 12:07:05 mail MailScanner[27539]: Virus and Content Scanning: Starting
>May 15 12:07:05 mail MailScanner[27539]: McAfee said
>"/usr/local/MailScanner/var-4.15-13/incoming/27539/h4FG73Q27541/eicar.com"
>May 15 12:07:05 mail MailScanner[27539]: McAfee said "        Found: EICAR
>test file NOT a virus."
>May 15 12:07:05 mail MailScanner[27539]:
>/usr/local/MailScanner/var-4.15-13/incoming/27539/h4FG73Q27541/eicar.com
>Found: EICAR test
>file NOT a virus.
>May 15 12:07:05 mail MailScanner[27539]: Virus Scanning: McAfee found 1
>infections
>May 15 12:07:05 mail MailScanner[27539]: Virus Scanning: Found 1 viruses
>May 15 12:07:05 mail MailScanner[27539]: Uninfected: Delivered 1 messages
>
>And the "Uninfected" message is forwarded on to the recipient with the bad
>attachment intact and
>mail headers proclaiming that it was not infected!

The path to the MailScanner "incoming" directory must be the *real* path,
not a path including links. Otherwise it cannot parse the McAfee output as
it doesn't know what directories to strip off the front of the report.

It's in the comments in the MailScanner.conf file:

# Note for McAfee users: do not use any symlinks with McAfee at all. It is
#                        very strange but may not detect all viruses when
#                        started from a symlink or scanning a directory path
#                        including symlinks.

>For this test, I temporarily took out the filename rule which would
>otherwise have excluded the .COM
>file extension.  With it in place, MS does remove the offending file and
>report same to all.
>
>Here's all of the changes in my config file from the distribution:
>--- MailScanner.conf.FCS Sat Apr 26 14:27:54 2003
>+++ MailScanner.conf Wed May 14 17:06:30 2003
>@@ -69,18 +69,18 @@
>  #    which can in turn contain wildcards.
>  #    Example: /opt/MailScanner/etc/mqueue.in.list.conf
>  #
>-Incoming Queue Dir = /var/spool/mqueue.in
>+Incoming Queue Dir = /usr/local/mqueue.in
>
>  # Set location of outgoing mail queue.
>  # This can also be the filename of a ruleset.
>-Outgoing Queue Dir = /var/spool/mqueue
>+Outgoing Queue Dir = /usr/local/mqueue
>
>  # Set where to unpack incoming messages before scanning them
>-Incoming Work Dir = /var/spool/MailScanner/incoming
>+Incoming Work Dir = /usr/local/MailScanner/var/incoming

That should be "/usr/local/MailScanner/var-4.15-13/incoming".


>  # Set where to store infected and message attachments (if they are kept)
>  # This can also be the filename of a ruleset.
>-Quarantine Dir = /var/spool/MailScanner/quarantine
>+Quarantine Dir = /usr/local/MailScanner/var/quarantine
>
>  # Set where to store the process id number so you can stop MailScanner
>  PID file = /opt/MailScanner/var/MailScanner.pid
>@@ -201,7 +201,7 @@
>  # space-separated list of virus scanners. For example:
>  # Virus Scanners = sophos f-prot mcafee
>  #
>-Virus Scanners = none
>+Virus Scanners = mcafee
>
>  # The maximum length of time the commercial virus scanner is allowed to run
>  # for 1 batch of messages (in seconds).
>@@ -225,7 +225,7 @@
>  # 3) The recipient will not receive the message,
>  #    unless the "Still Deliver Silent Viruses" option is set
>  # This can also be the filename of a ruleset.
>-Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar
>+Silent Viruses = Klez Yaha-E Bugbear Braid-A WinEvar Fizzer Livra
>
>  # Still deliver (after cleaning) messages that contained viruses listed
>  # in the above option ("Silent Viruses") to the recipient?
>@@ -366,7 +366,7 @@
>  # Do you want to quarantine the original *entire* message as well as
>  # just the infected attachments?
>  # This can also be the filename of a ruleset.
>-Quarantine Whole Message = no
>+Quarantine Whole Message = yes
>
>  # When you quarantine an entire message, do you want to store it as
>  # raw mail queue files (so you can easily send them onto users) or
>@@ -609,7 +609,7 @@
>  # When a virus or attachment is replaced by a plain-text warning,
>  # should the warning be in an attachment? If "no" then it will be
>  # placed in-line. This can also be the filename of a ruleset.
>-Warning Is Attachment = yes
>+Warning Is Attachment = no
>
>  # When a virus or attachment is replaced by a plain-text warning,
>  # and that warning is an attachment, this is the filename of the
>@@ -655,7 +655,7 @@
>  # Include the full headers of each message in the notices sent to the local
>  # system administrators?
>  # This can also be the filename of a ruleset.
>-Notices Include Full Headers = no
>+Notices Include Full Headers = yes
>
>  # Hide the directory path from all the system administrator notices.
>  # The extra directory paths give away information about your setup, and
>@@ -674,12 +674,12 @@
>
>  # Where to send the notices.
>  # This can also be the filename of a ruleset.
>-Notices To = postmaster
>+Notices To = virusmaster at elliott-turbo.com
>
>  # Address of the local Postmaster, which is used as the "From" address in
>  # virus warnings sent to users.
>  # This can also be the filename of a ruleset.
>-Local Postmaster = postmaster
>+Local Postmaster = virusmaster at elliott-turbo.com
>
>  #
>  # Spam Detection and Virus Scanner Definitions

--
Julian Field
www.MailScanner.info
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support



More information about the MailScanner mailing list