Fwd: Re: Re: Norman (nvcc) does not scan
Martin Wozenilek
mail at wozenilek.de
Tue Dec 28 19:15:14 GMT 2004
[ The following text is in the "UTF-8" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
Betreff:Â Re: Re: Norman (nvcc) does not scan
Von: Â Martin Wozenilek <mail at wozenilek.de>
An:Â Julian Field<mailscanner at ecs.soton.ac.uk>
Datum:Â 28-12-2004 20:12
Arrgh ... sorry ... i've played with the wrapper and inserted
options to be
quiet and not log anything. When i change this the wrapper
gives me (invoked
with /usr/lib/MailScanner/norman-wrapper /usr/bin -c -sb:1 -s
-u .):
-----------------------------------------------
Norman Virus Control Version 5.70.01 Jun 15 2004 10:37:11
Copyrightt (c) 1993-2003 Norman ASA
NSE revision 5.70.26
nvcbin.def revision 5.70 of 2004/12/23 (60256 variants)
nvcmacro.def revision 5.70 of 2004/12/22 (10060 variants)
Total number of variants: 70316
Logging to '/opt/norman/logs/nvc00004.log'
Possible virus in './eicar.com' ->
'EICAR_Test_file_not_a_virus!'
Possible virus in '/root/./eicar_com.zip : eicar.com' ->
'EICAR_Test_file_not_a_virus!'
Possible virus in '/root/./eicarcom2.zip : eicar_com.zip :
eicar.com' ->
'EICAR_Test_file_not_a_virus!'
| ./.cpan/sources/authors/id/S/SA/SAMPO/
* Cannot open:
/root/./.cpan/sources/authors/id/S/SA/SAMPO/Net_SSLeay.pm-1.25.tar.gz
:
Net_SSLeay.pm-1.25 .tar : Net_SSLeay.pm-1.25/RECIPE.Win32
No message
3 possible infections found.
14 archives unpacked, 346 files found.
346 files, 8185 kbytes scanned.
Could not open 1 archives.
Total scanning time: 0 min. 39 secs.
209 kbytes per second.
-----------------------------------------------
So, the wrapper works ...
When I check with a eicar-filee the maillog tells me:
-----------------------------------------------
Dec 28 20:09:30 mailgw01 MailScanner[12263]: Message
6BC222FA1A from
193.99.144.71 (emailcheck-robot at ct.heise.de) to wozenilek.de
is not spam,
SpamAssassin (score=-4.9, required 5, autolearn=not spam,
BAYES_00 -4.90)
Dec 28 20:09:31 mailgw01 MailScanner[12263]: Virus and
Content Scanning:
Starting
Dec 28 20:09:33 mailgw01 MailScanner[12263]:
/var/spool/MailScanner/incoming/12263/./6BC222FA1A/eicar.com:
Eicar-Test-Signature FOUND
Dec 28 20:09:33 mailgw01 MailScanner[12263]: Virus Scanning:
ClamAV found 1
infections
Dec 28 20:09:36 mailgw01 MailScanner[12263]:
/6BC222FA1A/eicar.com
Found: EICAR test file NOT a virus.
Dec 28 20:09:36 mailgw01 MailScanner[12263]: Virus Scanning:
McAfee found 1
infections
Dec 28 20:09:37 mailgw01 MailScanner[12263]: ALERT:
[Eicar-Test-Signature
virus] ./6BC222FA1A/eicar.com <<< Contains code of the
Eicar-Test-Signature
virus
Dec 28 20:09:37 mailgw01 MailScanner[12263]: Virus Scanning:
AntiVir found 1
infections
Dec 28 20:09:37 mailgw01 MailScanner[12263]:
/var/spool/MailScanner/incoming/12263/6BC222FA1A/eicar.com
Infection:
EICAR_Test_File
Dec 28 20:09:37 mailgw01 MailScanner[12263]: Virus Scanning:
F-Prot found
virus EICAR_Test_File
Dec 28 20:09:37 mailgw01 MailScanner[12263]: Virus Scanning:
F-Prot found 1
infections
Dec 28 20:09:39 mailgw01 MailScanner[12263]:
/var/spool/MailScanner/incoming/12263/./6BC222FA1A/eicar.com^Iinfected:
EICAR-Test-File (not a virus)
Dec 28 20:09:39 mailgw01 MailScanner[12263]: Virus Scanning:
Bitdefender
found 1 infections
Dec 28 20:09:43 mailgw01 MailScanner[12263]: Scan started at
Tue 28 Dec 2004
08:09:43 PM CET
Dec 28 20:09:43 mailgw01 MailScanner[12263]: Database
version: 2004-12-28_02
Dec 28 20:09:44 mailgw01 MailScanner[12263]:
./6BC222FA1A/eicar.com:
Infected: EICAR_Test_File [Libra]
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Virus Scanning:
F-Secure found
virus EICAR_Test_File
Dec 28 20:09:44 mailgw01 MailScanner[12263]:
./6BC222FA1A/eicar.com:
Infected: EICAR Test File [Orion]
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Virus Scanning:
F-Secure found
virus EICAR Test File
Dec 28 20:09:44 mailgw01 MailScanner[12263]:
./6BC222FA1A/eicar.com:
Infected: EICAR-Test-File [AVP]
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Virus Scanning:
F-Secure found
virus EICAR-Test-File
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Scan ended at
Tue 28 Dec 2004
08:09:43 PM CET
Dec 28 20:09:44 mailgw01 MailScanner[12263]: 3 files scanned
Dec 28 20:09:44 mailgw01 MailScanner[12263]: 1 file infected
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Virus Scanning:
F-Secure found
1 infections
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Infected message
6BC222FA1A
came from 193.99.144.71
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Virus Scanning:
Found 1 viruses
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Filename Checks:
Windows/DOS
Executable (6BC222FA1A eicar.com)
Dec 28 20:09:44 mailgw01 MailScanner[12263]: Other Checks:
Found 1 problems
-----------------------------------------------
And there is a NormanBusy.lock in /tmp. But no log under
/opt/normaan/logs/.
Maybe MailScanner does not handle the nvcc return code?
--
Martin Wozenilek
Am Langberg 91a
21033 Hamburg
mailto: mail at wozenilek.de
PGP-Key-ID: 0x00105C52
----- Originalnachricht -----
Betreff: Re: Norman (nvcc) does not scan
Von: Julian Field <mailscanner at ecs.soton.ac.uk>
An: Martin Wozenilek<mail at wozenilek.de>;MailScanner
mailing
list<MAILSCANNER at JISCMAIL.AC.UK>
Datum: 28-12-2004 19:39
> What happens when you do
> /usr/bin/nvcc -c -sb: 1 -s -u .
>
> Martin Wozenilek wrote:
>
> > On my system nvcc is in /usr/bin. So I've changed your
example. Now to
> > your question: the command line gives n o output. The
norman log is not
> > created ...
> >
> > --
> > Martin Wozenilek
> > Am Langberg 91a
> > 21033 Hamburg
> > mailto: mail at wozenilek.de <mailto:mail at wozenilek.de>
> > PGP-Key-ID: 0x00105C52
> >
> >
> > ----- Originalnachricht -----
> > *Betreff: *Re: Norman (nvcc) does not scan
> > *Von: *Julian Field <mailscanner at ECS.SOTON.AC.UK>
> > *An: *<MAILSCANNER at JISCMAIL.AC.UK>
> > *Datum: *28-12-2004 19:27
> >
> >
> > What does
> > cd /tmp
> > /usr/lib/MailScanner/norman-wrapper /usr/sbin -c -sb: 1
-s -u .
> > produce? (Don't forget the '.' on the end of the command)
> >
> >
> > Martin Wozenilek wrote:> >
> > > Yes, exactly the same on my site ... I'm not a
programmer ... but
> > > maybe I can find something in the perl code.
> > > Does anyone else have this problem? Maybe this is
FedoraCore2
> > specific?
> > >
> > > Regards,
> > >
> > > --
> > > Martin Wozenilek
> > > Am Langberg 91a
> > > 21033 Hamburg
> > > mailto: mail at wozenilek.de <mailtoo:mail at wozenilek.de>
> > <mailto:mail at wozenilek.de>
> > > PGP-Key-ID: 0x00105C52
> > >
> > >
> > > ----- Originalnachricht -----
> > > *Betreff: *Re: Norman (nvcc) does not scan
> > > *Von: *John Lee <john at PUREMESSAGE.CO.UK>
> > > *An: *<MAILSCANNER at JISCMAIL.AC.UK>
> > > *Datum: *28-12-2004 17:42
> > >
> > >
> > > On Thu, 23 Dec 2004 22:34:00 +0000, Martin Wozenilek
> > > <mail at WOZENILEK.DE> wrote:
> > >
> > > >Hi!
> > > >
> > > >I'm using mailscanner-4.36.4-1 and nvc-5.70.04-0. When
i avtivate
> > > the norman
> > > >scanner in the config file the eicar testfile is
detectet by all
> > > my virus
> > > >scanners, but not by nvcc. The wrapper works perfect
.... mmmh
....
> > > >
> > > >Any ideas? Thanks!
> > > >
> > > >Martin
> > > >
> > > >------------------------ MailScanner list
------------------------
> > > >To unsubscribe, email jiscmail at jiscmail.ac.uk
> > > <mailtoo:jiscmail at jiscmail.ac.uk> with the words:
> > > >'leave mailscanner' in the body of the email.
> > > >Before posting, read the MAQ
(http://www.mailscanner.biz/maq/)
and
> > > >the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> > > >
> > > >Sup port MailScanner development - buy the book off
the website!
> > >
> > > Hi Martin,
> > >
> > > I'm using mailscanner-4.36.4-1 and nvc-5.70.04-0 on
Fedora Core2
> > > and again
> > > NVCC fails to be called from the norman-wrapper.
> > > My other scanners F-prot,Bitdefender...all pick-up the
Eicar test
> > > -yet no
> > > sign of Norman scanner being called when examing the
sys
> > > (mail)/norman logs.
> > >
> > > Both NVCC and norman-wrapper work fine from the command
shell.
> > >
> > > I've created a new norman-wrapper to simply write some
text to a
> > > file - no
> > > jo y,so I'm guessing it is an issue with mailscanner
itself.
> > >
> > > I'll keep investigating.
> > >
> > > Regards
> > >
> > > John
> > >
> > > ------------------------ MailScanner list
------------------------
> > > To unsubscribe, email jiscmail at jiscmail.ac.uk
> > <mmailto:jiscmail at jiscmail.ac.uk>
> > > <mailto:jisscmail at jiscmail.ac.uk> with the words:
> > > 'leave mailscanner' in the body of the email.
> > > Before posting, read the MAQ
(http://www.mailscanner.biz/maq/) and
> > > the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> > >
> > > Support MailScanner development - buy the book off the
website!
> > >
> > > ------------------------ MailScanner list
------------------------
> > > To unsubscribe, email jiscmail at jiscmmail.ac.uk
> > <mailto:jiscmail at jiscmail.ac.uk> with the words:
> > > 'leave mailscanner' in the body of the email.
> > > Before posting, read the MAQ
(http://www.mailscanner.biz/maq/)
> > > and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> > >
> > > *Support MailScanner development - buy the book off the
website!*
> >
> >
> > --
> > Julian Field
> > www.MailScanner.info
> > Buy the MailScanner book at www..MailScanner.info/store
> > Professional Support Services at www.MailScanner.biz
> > MailScanner thanks trans tec Computers for their support
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947
1415 B654
> >
> > ------------------------ MailScanner list
------------------------
> > To unsubscribe, email jiscmail at jiscmail.aac.uk
> > <mailto:jiscmail at jiscmail.ac.uk> with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ
(http://www.mailscanner.biz/maq/) and
> > the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the
website!
> >
> > ------------------------ MailScann er list
------------------------
> > To unsubscribe, email jiscmail@@jiscmail.ac.uk with the
words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ
(http://www.mailscanner.biz/maq/)
> > and the archives
(http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > *Support MailScanner development - buy the book off the
website!*
>
>
> --
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415
B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/)
and the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list