difficulty with MS and drweb

Julian Field mailscanner at ecs.soton.ac.uk
Wed Mar 31 09:31:46 IST 2004


I don't think I wrote the DrWeb output handler, so I'm not taking
responsibility for the bugs :-)

In SweepViruses.pm, you will find a line saying
sub ProcessDrwebOutput {

Below that, there is a line in that function that currently says
#MailScanner::Log::InfoLog("#### $BaseDir - $id - $part");

Change that to

MailScanner::Log::InfoLog("#### $BaseDir - $id - $part - " .
join(",", at rest) . ",end");

Please then run the tests you ran before, and mail me the output from the
maillog.

At 08:49 31/03/2004, you wrote:
> >Sounds like a DrWeb-specific problem. Can you put a copy of eicar.com (from
> >www.eicar.org) in a zip file, pass it through MailScanner and let me know
> >what it reports. Does it find it when it isn't in a zip file?
>
>I starting MS in debug-mode
>I sent eacare.zip (eacare.com into archive)
>On display I see:
>Starting Mailscanner :  /usr/sbin/check_mailscanner
>Starting MailScanner...
>In Debugging mode, not forking...
>Stopping now as you are debugging me.
>In /var/log/maillog:
>Mar 31 11:36:08 host1 MailScanner[11809]: MailScanner E-Mail Virus Scanner
>version 4.28.6 starting...
>Mar 31 11:36:08 host1 MailScanner[11809]: lock.pl sees Config  LockType =
>flock
>Mar 31 11:36:08 host1 MailScanner[11809]: lock.pl sees have_module =  0
>Mar 31 11:36:08 host1 MailScanner[11809]: Using locktype = flock
>Mar 31 11:36:58 host1 MailScanner[11809]: New Batch: Scanning 1 messages,
>2718 bytes
>Mar 31 11:37:00 host1 MailScanner[11809]: RBL Checks: returned 0
>Mar 31 11:37:00 host1 MailScanner[11809]: Created attachment dirs for 1
>messages
>Mar 31 11:37:00 host1 MailScanner[11809]: Virus and Content Scanning:
>Starting
>Mar 31 11:37:00 host1 MailScanner[11809]: Commencing scanning by drweb...
>Mar 31 11:37:02 host1 MailScanner[11809]:
>/var/spool/MailScanner/incoming/11809/E04C91000AC0/eicar.com infected with
>EICAR Test File (NOT a Virus!)
>Mar 31 11:37:02 host1 MailScanner[11809]: Completed scanning by drweb
>Mar 31 11:37:02 host1 MailScanner[11809]: Virus Scanning: DrWeb found 1
>infections
>Mar 31 11:37:02 host1 MailScanner[11809]: Infected message E04C91000AC0 came
>from 127.0.0.1
>Mar 31 11:37:02 host1 MailScanner[11809]: Virus Scanning: Found 1 viruses
>Mar 31 11:37:02 host1 MailScanner[11809]: Filename Checks: Windows/DOS
>Executable (E04C91000AC0 eicar.com)
>Mar 31 11:37:02 host1 MailScanner[11809]: Other Checks: Found 1 problems
>Mar 31 11:37:02 host1 MailScanner[11809]: Saved infected "eicar.com" to
>/var/spool/MailScanner/quarantine/20040331/E04C91000AC0
>Mar 31 11:37:02 host1 MailScanner[11809]: Saved infected "eicar.zip" to
>/var/spool/MailScanner/quarantine/20040331/E04C91000AC0
>Mar 31 11:37:02 host1 MailScanner[11809]: Requeue: E04C91000AC0 to F104FB6
>
>Virus found and message don't deliver. ALL OK
>
>If I sent eacare.arj (eacare.com into archive).
>In /var/log/maillog:
>Mar 31 11:49:01 host1 MailScanner[11863]: New Batch: Scanning 1 messages,
>1294 bytes
>Mar 31 11:49:02 host1 MailScanner[11863]: RBL Checks: returned 0
>Mar 31 11:49:02 host1 MailScanner[11863]: Created attachment dirs for 1
>messages
>Mar 31 11:49:02 host1 MailScanner[11863]: Virus and Content Scanning:
>Starting
>Mar 31 11:49:02 host1 MailScanner[11863]: Commencing scanning by drweb...
>Mar 31 11:49:04 host1 MailScanner[11863]: Completed scanning by drweb
>Mar 31 11:49:04 host1 MailScanner[11863]: Requeue: E80061000ABF to 06AA4B8
>Mar 31 11:49:04 host1 MailScanner[11863]: About to deliver 1 messages
>Mar 31 11:49:04 host1 MailScanner[11863]: Uninfected: Delivered 1 messages
>Mar 31 11:49:04 host1 MailScanner[11863]: MailScanner child dying of old age
>
>Virus NOT FOUND and mail deliver.
>
>If I interrupted MailScanner, I see, that It created this:
>root at host1:/# ls /var/spool/MailScanner/incoming/11908
>0969B1000ABF  0969B1000ABF.header
>root at host1:/# ls /var/spool/MailScanner/incoming/11908/0969B1000ABF
>EICAR.ARJ  msg-11908-1.txt
>
>If I run drweb-wrapper (manual) I see this:
>/usr/lib/MailScanner/drweb-wrapper  /opt/drweb
>/var/spool/MailScanner/incoming/11908/0969B1000ABF
>Dr.Web (R) for Linux, version 4.31.2 (March 5, 2004)
>.
>/var/spool/MailScanner/incoming/11908/0969B1000ABF/msg-11908-1.txt - Ok
>/var/spool/MailScanner/incoming/11908/0969B1000ABF/EICAR.ARJ - archive ARJ
> >/var/spool/MailScanner/incoming/11908/0969B1000ABF/EICAR.ARJ/EICAR.COM
>infected with EICAR Test File (NOT a Virus!)
>Scan report for "/var/spool/MailScanner/incoming/11908/0969B1000ABF":
>Scanned       : 2/1             Cured      : 0
>Infected      : 1/1             Deleted    : 0
>Modifications : 0/0             Renamed    : 0
>Suspicious    : 0/0             Moved      : 0
>Scan time     : 00:00:00        Scan speed : 1 Kb/s
>
>
>But e-mail with virus deliver. I do not understand why
>
>
> >At 17:13 30/03/2004, you wrote:
> >>I installed MS (4.28.6), DrWeb (4.31.2). MailScanner misses viruses in
>arj,
> >>rar archives. From zip-archives it finds viruses. I see, that MS assorts
>the
> >>letter and creates the catalogue containing archive with a virus and a
>file
> >>with the text of the letter. At manual start ' drweb-wrapper/opt/drweb
> >>this-path ' I see, that viruses in archive are. Thus ClamAv with these
> >>archives works perfectly. In what there can be a problem?
> >>
>
>
>Voskresenskiy Evgeniy

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654



More information about the MailScanner mailing list