How can I log whether MailScanner is running the Antivirus app? - Answered

Jon Carnes jonc at nc.rr.com
Mon Feb 16 07:12:59 GMT 2004 

Well, I captured some incoming viruses using the
/etc/MailScanner/filename.rules.conf settings, then took one of those
viruses and sent it through the MailScanner system as my test

The key that I needed to know was that MailScanner will identify when it
finds a virus in the log with a message like this:

# grep virus\ \! maillog

 Feb 16 01:21:44 twconn MailScanner[11029]: /i1G6LUrw011045/text
     Found the W32/Mydoom.a at MM virus !!!
 Feb 16 01:25:05 twconn MailScanner[11034]:
    /i1G6Oorw011125/text.zip        Found the W32/Mydoom.a at MM virus !!!


My problem was that McAfee needed to be modified to run properly on my
Red Hat 9 server.  Originally I put the modification into the
mcafee-wrapper - that did not work.

I moved the modification into a shell script and replaced the
application: /usr/local/uvscan/uvscan with the shell script. That
worked!

The uvscan shell script is:

  #! /bin/sh
  # wrapper for virus scan - to make it work on RH9
  LD_PRELOAD=/lib/libc.so.6 /usr/local/uvscan/uvscan.x $1 $2 $3 $4 $5 $6
$7 $8 $9

The original uvscan application was renamed uvscan.x

Everything is working well.  Thanks for your insights Julian (and the
great MailScanner application!)

Take care - Jon Carnes

On Sun, 2004-02-15 at 23:32, Jon Carnes wrote:
> On Sat, 2004-02-14 at 11:55, Julian Field wrote:
> > Make sure your path to the Incoming Work Dir does not include any links.
> > Also make sure the installation path of mcafee in virus.scanners.conf does
> > not contain any links.
> >
>
> There are no links in the Incoming Work Dir and the installation path of
> mcafee in virus.scanners.conf does not contain any links.
>
> Could the problem be my modification of the mcafee-wrapper program?
>
>   exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
>
> If I run without the "LD_PRELOAD=/lib/libc.so.6 " on that line, then the
> mail just stops being processed - which I assume is the virus scanner
> locking up (well at least I know it's running the virus scanner then!)
>
> With that added to the line, things run, but apparently no mail gets
> scanned. I've been running this for awhile and the mail policies defined
> by filename.rules.conf have been stopping almost all the viruses... In
> fact if it hadn't been for the recent MyDoom flood that uses zip files,
> I would still be blissfully ignorant of the problem.
>
> BTW: The only way to get this version of mcafee to run run on this
> server (RH 9) is to add the "LD_PRELOAD..." before running the
> application.
>
> Thanks for the response,
>
> Jon Carnes
>
> > At 16:35 14/02/2004, you wrote:
> > >Oy! Such a week. I need more information to figure this out.
> > >
> > >Does MailScanner runs the Anti-virus app on the mail spool (complete
> > >with uuencoded application) or does it un-encode the attachment and run
> > >the scan on that?
> > >
> > >Is there a way to log the virus scanning portion of MailScanners
> > >activities?
> > >
> > >My anti-virus app is not catching any viruses in emails - so either some
> > >of my munging has caused MailScanner not to run my app or there is a
> > >problem with my virus scanner...
> > >
> > >  - I've captured a MyDoom example and my app finds it just fine with
> > >ordinary scanning.
> > >  - I've captured the incoming queue and scanned queued files with a
> > >MyDoom attachment - the app does NOT detect the virus in its transit
> > >encoded form.
> > >  - I've quarantined email using filename.rules.conf, and the anti-virus
> > >app DOES detect the virus in the attachment in the quarantine area.
> > >  - I've let the email pass through to the users spool and then scanned
> > >the spool, the anti-virus app DOES detect it.
> > >
> > >I stop most attachments but allow zip files using filename.rules.conf.
> > >I thought the infected zip files would be caught by my virus scanner,
> > >being run by MailScanner, but they are not.
> > >
> > >This is very frustrating.  I've googled, searched the archives and
> > >re-read the docs several times.  I've even hacked a bit into the
> > >SweepViruses.pm code to try and find how it's applying the virus
> > >scanner.
> > >
> > >I'm running mailscanner-4.23-11
> > >on Red Hat Linux 9
> > >and using mcafee (uvscan) as my virus scanner.
> > >
> > >Some pertinent info from MailScanner.conf
> > >   Virus Scanning = yes
> > >   Virus Scanners = mcafee
> > >
> > >======
> > >Some notes for the archives:
> > >
> > >In order to get uvscan to work properly on RH9 I had to modify the
> > >mcafee-wrapper program used by MailScanner. The commented out statement
> > >is the old one, and the one below it is the modified statement which
> > >works fine (but doesn't seem to catch the zipped versions of MyDoom).
> > >
> > ># exec ${PackageDir}/$prog -d $datDIR "$@"
> > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
> > >
> > >===
> > >Further notes:
> > >
> > >UVScan will not ordinarily scan an archive file (.zip), but if you add
> > >the switch "--secure" it will.  Originally (last week), I thought this
> > >was the problem and so I modified the mcafee-wrapper again and added
> > >that switch:
> > >
> > ># exec ${PackageDir}/$prog -d $datDIR "$@"
> > ># exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog -d $datDIR "$@"
> > ># added "--secure" to enable scanning of zipped files - JonC 2/11/2004
> > >exec LD_PRELOAD=/lib/libc.so.6 ${PackageDir}/$prog --secure -d $datDIR
> > >"$@"
> > >
> > >===
> > >Any help or insights would be appreciated
> > >
> > >Jon Carnes

More information about the MailScanner mailing list