How can I log whether MailScanner is running the Antivirus app?

Jon Carnes jonc at nc.rr.com
Sat Feb 14 16:35:55 GMT 2004 

Oy! Such a week. I need more information to figure this out.

Does MailScanner runs the Anti-virus app on the mail spool (complete
with uuencoded application) or does it un-encode the attachment and run
the scan on that?

Is there a way to log the virus scanning portion of MailScanners
activities?

My anti-virus app is not catching any viruses in emails - so either some
of my munging has caused MailScanner not to run my app or there is a
problem with my virus scanner...

 - I've captured a MyDoom example and my app finds it just fine with
ordinary scanning.
 - I've captured the incoming queue and scanned queued files with a
MyDoom attachment - the app does NOT detect the virus in its transit
encoded form.
 - I've quarantined email using filename.rules.conf, and the anti-virus
app DOES detect the virus in the attachment in the quarantine area.
 - I've let the email pass through to the users spool and then scanned
the spool, the anti-virus app DOES detect it.

I stop most attachments but allow zip files using filename.rules.conf.
I thought the infected zip files would be caught by my virus scanner,
being run by MailScanner, but they are not.

This is very frustrating.  I've googled, searched the archives and
re-read the docs several times.  I've even hacked a bit into the
SweepViruses.pm code to try and find how it's applying the virus
scanner.

I'm running mailscanner-4.23-11
on Red Hat Linux 9
and using mcafee (uvscan) as my virus scanner.

Some pertinent info from MailScanner.conf
  Virus Scanning = yes
  Virus Scanners = mcafee

======
Some notes for the archives:

In order to get uvscan to work properly on RH9 I had to modify the
mcafee-wrapper program used by MailScanner. The commented out statement
is the old one, and the one below it is the modified statement which
works fine (but doesn't seem to catch the zipped versions of MyDoom).

# exec ${PackageDir}/$prog -d $datDIR "$@"
exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"

===
Further notes:

UVScan will not ordinarily scan an archive file (.zip), but if you add
the switch "--secure" it will.  Originally (last week), I thought this
was the problem and so I modified the mcafee-wrapper again and added
that switch:

# exec ${PackageDir}/$prog -d $datDIR "$@"
# exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
# added "--secure" to enable scanning of zipped files - JonC 2/11/2004
exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR
"$@"

===
Any help or insights would be appreciated

Jon Carnes
jonc at nc.rr.com

More information about the MailScanner mailing list