eTrust Virus Scanner

Hancock, Scott HancockS at MORGANCO.COM
Fri Sep 12 20:29:19 IST 2003


I'm not sure how to test this except using mailscanner so here is the
bad news

At Fri Sep 12 11:16:10 2003 the virus scanner said:
   ClamAV: eicar_com.zip contains Eicar-Test-Signature 

No etrust reported.  Everything was restarted just in case.

Do you have a command line sequence I could try for an error message?

A copy of my visudo file.  Scott was in there for testing.

root    ALL=(ALL) ALL
scott   ALL=(ALL) ALL

User_Alias      MAIL = mail
Runas_Alias     ROOT = root
Host_Alias      LOCALHOST = 127.0.0.1
Cmnd_Alias      ETRUST = /opt/eTrustAntivirus/ino/bin/inocmd32
Defaults        mailto = you at yourdomain.com
Defaults        env_reset
Defaults        env_keep = LD_LIBRARY_PATH

MAIL  LOCALHOST = (ROOT) NOPASSWD: ETRUST


BTW, I did log a call to etrust asking if there was a way around the
root privelege.  They reported there was not.  I believe there support
is in India judging by the echo in the transmission and the accent.

Scott


 >-----Original Message-----
 >From: Kevin Spicer [mailto:kevins at BMRB.CO.UK] 
 >Sent: Friday, September 12, 2003 2:34 PM
 >To: MAILSCANNER at JISCMAIL.AC.UK
 >Subject: Re: eTrust Virus Scanner
 >
 >
 >On Fri, 2003-09-12 at 18:50, Hancock, Scott wrote:
 >
 >>My dev server is now responding identically.
 >
 >>Mailscanner is reporting only clam is analizing the attachment.
 >
 >Okay theres a lot of info there, some of which is a bit 
 >misleading. Heres what I think is happening....
 >
 >inocmd32 needs the LD_LIBRARY_PATH setting as shown...
 >
 >/opt/eTrustAntivirus/secu/lib:/opt/eTrustAntivirus/ino/config:
 >/opt/eTrus
 >tAntivirus/ino/lib
 >
 >Is also needs to be run as root, unfortunately running it 
 >suid doesn't work.  In all probability it is checking the 
 >Real User ID rather than the Effective User ID.
 >
 >The only immediately obvious way to get round this (to me, 
 >right now that is) is to have the program called by a SUID 
 >program, rather than being SUID itself (so that it inherits 
 >the parent processes EUID as its UID).  The obvious way to do 
 >this is with sudo [someone did suggest that previously].
 >
 >First, restore the original permissions to the inocmd32 
 >binary (and clean up all the other changes if you like) then 
 >create the following sudo configuration (make sure you edit 
 >the file with visudo).
 >
 >
 >
 >##Begin sudoers file
 >
 >User_Alias      MAIL = mail
 >Runas_Alias     ROOT = root
 >Host_Alias      LOCALHOST = 127.0.0.1
 >Cmnd_Alias      ETRUST = /opt/eTrustAntivirus/ino/bin/inocmd32
 >Defaults        mailto = you at yourdomain.com
 >Defaults        env_reset = true
 >Defaults        env_keep = LD_LIBRARY_PATH
 >
 >MAIL  LOCALHOST = (ROOT) NOPASSWD: ETRUST
 >
 >## End sudoers file
 >
 >Then modify the command in the last line of the etrust 
 >wrapper to read... exec sudo $prog $ScanOptions "$@"
 >
 >
 >Then test!
 >
 >
 >
 >
 >
 >
 >
 >BMRB International
 >http://www.bmrb.co.uk
 >+44 (0)20 8566 5000
 >_________________________________________________________________
 >This message (and any attachment) is intended only for the 
 >recipient and may contain confidential and/or privileged 
 >material.  If you have received this in error, please contact 
 >the sender and delete this message immediately.  Disclosure, 
 >copying or other action taken in respect of this email or in 
 >reliance on it is prohibited.  BMRB International Limited 
 >accepts no liability in relation to any personal emails, or 
 >content of any email which does not directly relate to our business.
 >




More information about the MailScanner mailing list