mcafee uvscan not using /usr/local/uvscan/datfiles/current

Tue Jan 27 21:16:55 GMT 2004

Appolgies if this has been covered recently. I was unable to find it
mentioned in the archives. I feel like it's been discussed and fixed
already, but I can't find any references to it ...

We have MailScanner-4.25-14 using both sophos (via sophossavi) and
mcafee's uvscan. With the recent storm of MyDoom viruses I noticed that
only sophos was catching them. I have
/opt/MailScanner/lib/mcafee-autoupdate running every 30 minutes vi cron.
The dats are updated in /usr/local/uvscan/datfiles/<dat-version-dir>/
and the link /usr/local/uvscan/datfiles/current is created
appropriately.

However it appears that uvscan is being called with old dats that exist
in /usr/local/uvscan/*.dat. We used to use uvscan with amavisd and the
auto dat update script we used just deleted the old dats and put the new
ones in /usr/local/uvscan/. As soon as I ran that old update script I
started seeing mcafee catching MyDoom in the logs. The dats now in
/usr/local/uvscan/*.dat are identical to those in
/usr/local/uvscan/datfiles/current/ as downloaded by MS's
mcafee-autoupdate.

MS's mcafee-wrapper script looks like this:

    PackageDir=$1
    shift
    prog=uvscan # `basename $0`
    datDIR=$PackageDir

    LD_LIBRARY_PATH=$PackageDir
    export LD_LIBRARY_PATH

    if [ "x$1" = "x-IsItInstalled" ]; then
      [ -x ${PackageDir}/$prog ] && exit 0
      exit 1
    fi

    exec ${PackageDir}/$prog -d $datDIR "$@"

I couldn't find where in MailScanner mcafee-wrapper is called, but I
assume $1 is taken from /opt/MailScanner/etc/virus.scanners.conf. To me
this looks like uvscan is being called with "-d /usr/local/uvscan" when
it should be "-d /usr/local/uvscan/datfiles/current/".

Here are the relevent variables set in mcafee-autoupdate:
    PREFIX=/usr/local/uvscan
    ....

    DATDIR=$PREFIX/datfiles
    SUBDIR=datfiles/current
    LINK=$PREFIX/$SUBDIR

according to this datDIR in mcafee-wrapper should be
datDIR=$PackageDir/datfiles/current

As I type this I feel like I've read about this problem being discussed
and fixed on the list in the past ... but, as I said, I can't seem to
find it in the archives.

-Eric Rz.