difficulty with MS and drweb

Voskresenskiy Evgeniy vei at RMB.RU
Wed Mar 31 08:49:07 IST 2004 

>Sounds like a DrWeb-specific problem. Can you put a copy of eicar.com (from
>www.eicar.org) in a zip file, pass it through MailScanner and let me know
>what it reports. Does it find it when it isn't in a zip file?

I starting MS in debug-mode
I sent eacare.zip (eacare.com into archive)
On display I see:
Starting Mailscanner :  /usr/sbin/check_mailscanner
Starting MailScanner...
In Debugging mode, not forking...
Stopping now as you are debugging me.
In /var/log/maillog:
Mar 31 11:36:08 host1 MailScanner[11809]: MailScanner E-Mail Virus Scanner
version 4.28.6 starting...
Mar 31 11:36:08 host1 MailScanner[11809]: lock.pl sees Config  LockType =
flock
Mar 31 11:36:08 host1 MailScanner[11809]: lock.pl sees have_module =  0
Mar 31 11:36:08 host1 MailScanner[11809]: Using locktype = flock
Mar 31 11:36:58 host1 MailScanner[11809]: New Batch: Scanning 1 messages,
2718 bytes
Mar 31 11:37:00 host1 MailScanner[11809]: RBL Checks: returned 0
Mar 31 11:37:00 host1 MailScanner[11809]: Created attachment dirs for 1
messages
Mar 31 11:37:00 host1 MailScanner[11809]: Virus and Content Scanning:
Starting
Mar 31 11:37:00 host1 MailScanner[11809]: Commencing scanning by drweb...
Mar 31 11:37:02 host1 MailScanner[11809]:
/var/spool/MailScanner/incoming/11809/E04C91000AC0/eicar.com infected with
EICAR Test File (NOT a Virus!)
Mar 31 11:37:02 host1 MailScanner[11809]: Completed scanning by drweb
Mar 31 11:37:02 host1 MailScanner[11809]: Virus Scanning: DrWeb found 1
infections
Mar 31 11:37:02 host1 MailScanner[11809]: Infected message E04C91000AC0 came
from 127.0.0.1
Mar 31 11:37:02 host1 MailScanner[11809]: Virus Scanning: Found 1 viruses
Mar 31 11:37:02 host1 MailScanner[11809]: Filename Checks: Windows/DOS
Executable (E04C91000AC0 eicar.com)
Mar 31 11:37:02 host1 MailScanner[11809]: Other Checks: Found 1 problems
Mar 31 11:37:02 host1 MailScanner[11809]: Saved infected "eicar.com" to
/var/spool/MailScanner/quarantine/20040331/E04C91000AC0
Mar 31 11:37:02 host1 MailScanner[11809]: Saved infected "eicar.zip" to
/var/spool/MailScanner/quarantine/20040331/E04C91000AC0
Mar 31 11:37:02 host1 MailScanner[11809]: Requeue: E04C91000AC0 to F104FB6

Virus found and message don't deliver. ALL OK

If I sent eacare.arj (eacare.com into archive).
In /var/log/maillog:
Mar 31 11:49:01 host1 MailScanner[11863]: New Batch: Scanning 1 messages,
1294 bytes
Mar 31 11:49:02 host1 MailScanner[11863]: RBL Checks: returned 0
Mar 31 11:49:02 host1 MailScanner[11863]: Created attachment dirs for 1
messages
Mar 31 11:49:02 host1 MailScanner[11863]: Virus and Content Scanning:
Starting
Mar 31 11:49:02 host1 MailScanner[11863]: Commencing scanning by drweb...
Mar 31 11:49:04 host1 MailScanner[11863]: Completed scanning by drweb
Mar 31 11:49:04 host1 MailScanner[11863]: Requeue: E80061000ABF to 06AA4B8
Mar 31 11:49:04 host1 MailScanner[11863]: About to deliver 1 messages
Mar 31 11:49:04 host1 MailScanner[11863]: Uninfected: Delivered 1 messages
Mar 31 11:49:04 host1 MailScanner[11863]: MailScanner child dying of old age

Virus NOT FOUND and mail deliver.

If I interrupted MailScanner, I see, that It created this:
root at host1:/# ls /var/spool/MailScanner/incoming/11908
0969B1000ABF  0969B1000ABF.header
root at host1:/# ls /var/spool/MailScanner/incoming/11908/0969B1000ABF
EICAR.ARJ  msg-11908-1.txt

If I run drweb-wrapper (manual) I see this:
/usr/lib/MailScanner/drweb-wrapper  /opt/drweb
/var/spool/MailScanner/incoming/11908/0969B1000ABF
Dr.Web (R) for Linux, version 4.31.2 (March 5, 2004)
.
/var/spool/MailScanner/incoming/11908/0969B1000ABF/msg-11908-1.txt - Ok
/var/spool/MailScanner/incoming/11908/0969B1000ABF/EICAR.ARJ - archive ARJ
>/var/spool/MailScanner/incoming/11908/0969B1000ABF/EICAR.ARJ/EICAR.COM
infected with EICAR Test File (NOT a Virus!)
Scan report for "/var/spool/MailScanner/incoming/11908/0969B1000ABF":
Scanned       : 2/1             Cured      : 0
Infected      : 1/1             Deleted    : 0
Modifications : 0/0             Renamed    : 0
Suspicious    : 0/0             Moved      : 0
Scan time     : 00:00:00        Scan speed : 1 Kb/s


But e-mail with virus deliver. I do not understand why


>At 17:13 30/03/2004, you wrote:
>>I installed MS (4.28.6), DrWeb (4.31.2). MailScanner misses viruses in
arj,
>>rar archives. From zip-archives it finds viruses. I see, that MS assorts
the
>>letter and creates the catalogue containing archive with a virus and a
file
>>with the text of the letter. At manual start ' drweb-wrapper/opt/drweb
>>this-path ' I see, that viruses in archive are. Thus ClamAv with these
>>archives works perfectly. In what there can be a problem?
>>


Voskresenskiy Evgeniy

More information about the MailScanner mailing list