How can I log whether MailScanner is running the Antivirus app?

Mon Feb 16 04:32:38 GMT 2004

On Sat, 2004-02-14 at 11:55, Julian Field wrote:
> Make sure your path to the Incoming Work Dir does not include any links.
> Also make sure the installation path of mcafee in virus.scanners.conf does
> not contain any links.
>

There are no links in the Incoming Work Dir and the installation path of
mcafee in virus.scanners.conf does not contain any links.

Could the problem be my modification of the mcafee-wrapper program?

  exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"

If I run without the "LD_PRELOAD=/lib/libc.so.6 " on that line, then the
mail just stops being processed - which I assume is the virus scanner
locking up (well at least I know it's running the virus scanner then!)

With that added to the line, things run, but apparently no mail gets
scanned. I've been running this for awhile and the mail policies defined
by filename.rules.conf have been stopping almost all the viruses... In
fact if it hadn't been for the recent MyDoom flood that uses zip files,
I would still be blissfully ignorant of the problem.

BTW: The only way to get this version of mcafee to run run on this
server (RH 9) is to add the "LD_PRELOAD..." before running the
application.

Thanks for the response,

Jon Carnes

> At 16:35 14/02/2004, you wrote:
> >Oy! Such a week. I need more information to figure this out.
> >
> >Does MailScanner runs the Anti-virus app on the mail spool (complete
> >with uuencoded application) or does it un-encode the attachment and run
> >the scan on that?
> >
> >Is there a way to log the virus scanning portion of MailScanners
> >activities?
> >
> >My anti-virus app is not catching any viruses in emails - so either some
> >of my munging has caused MailScanner not to run my app or there is a
> >problem with my virus scanner...
> >
> >  - I've captured a MyDoom example and my app finds it just fine with
> >ordinary scanning.
> >  - I've captured the incoming queue and scanned queued files with a
> >MyDoom attachment - the app does NOT detect the virus in its transit
> >encoded form.
> >  - I've quarantined email using filename.rules.conf, and the anti-virus
> >app DOES detect the virus in the attachment in the quarantine area.
> >  - I've let the email pass through to the users spool and then scanned
> >the spool, the anti-virus app DOES detect it.
> >
> >I stop most attachments but allow zip files using filename.rules.conf.
> >I thought the infected zip files would be caught by my virus scanner,
> >being run by MailScanner, but they are not.
> >
> >This is very frustrating.  I've googled, searched the archives and
> >re-read the docs several times.  I've even hacked a bit into the
> >SweepViruses.pm code to try and find how it's applying the virus
> >scanner.
> >
> >I'm running mailscanner-4.23-11
> >on Red Hat Linux 9
> >and using mcafee (uvscan) as my virus scanner.
> >
> >Some pertinent info from MailScanner.conf
> >   Virus Scanning = yes
> >   Virus Scanners = mcafee
> >
> >======
> >Some notes for the archives:
> >
> >In order to get uvscan to work properly on RH9 I had to modify the
> >mcafee-wrapper program used by MailScanner. The commented out statement
> >is the old one, and the one below it is the modified statement which
> >works fine (but doesn't seem to catch the zipped versions of MyDoom).
> >
> ># exec ${PackageDir}/$prog -d $datDIR "$@"
> >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
> >
> >===
> >Further notes:
> >
> >UVScan will not ordinarily scan an archive file (.zip), but if you add
> >the switch "--secure" it will.  Originally (last week), I thought this
> >was the problem and so I modified the mcafee-wrapper again and added
> >that switch:
> >
> ># exec ${PackageDir}/$prog -d $datDIR "$@"
> ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
> ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004
> >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR
> >"$@"
> >
> >===
> >Any help or insights would be appreciated
> >
> >Jon Carnes
> >jonc at nc.rr.com