MailScanner 4.33.3-1 & NOD32 2.04-1

Ignacio M. Sbampato listas at VIRUSATTACK.COM.AR
Wed Sep 8 05:21:52 IST 2004 

Guys,

i'm having some troubles with latest version of NOD32 & MailScanner (fresh
install). MailScanner is running and processing emails (according to logs
and emails headers) and it's running NOD32 (according to nod32.log - i
modified nod32-wrapper to write in the log with param --log) but the virus
aren't detected (subjet isn't being modified with {VIRUS?}text) or deleted
from messages.

I'm using NOD32 2.04-1 (latest), so i configured MailScanner.conf to use
nod32-1.99 as Virus Scanner. Virus Scanning is turned on.

I noted some differences between current nod32.log and the one was generated
by previous versions of NOD32 (like the first 1.99). Now, NOD32 is
generating log file as following:

--------> cut <---------

Signatures database module, version 1.864 (20040907).
Archives support module, version 1.019 (20040823).
Advanced heuristics module, version 1.010 (20040902).

Command line: --log --arch --all

Scanning started on 09-08-2004, 06:09:29
object="file",
name="/var/spool/MailScanner/incoming/2699/BB75C1B819A/your_letter.pif",
virus="Win32/Netsky.D worm", action="", info="", lines=0

Scanning finished at 06:09:29, total time: 0 sec (0:00:00)
Total files:    3
Infected files: 1
Cleaned files:  0

--------> cut <---------

Could be this the problem?

According to 'man nod32' command, the return codes of NOD32 on-demmand
scanner (/usr/sbin/nod32) are the following:

--------> cut <---------

       0   - Everything ok, no viruses found.
       1   - All viruses were cleaned.
       10  - At least one virus was found.
       100 - Internal error occurred, no scanning performed.
       101 - Error occurred during archives unpacking, no scanning
performed.

--------> cut <---------

Are those the return codes expected by MailScanner?

The following is some information extracted from 'maillog' related to
previous message NOD32 scanning result:

--------> cut <---------

Sep  8 06:09:28 melkart MailScanner[2699]: New Batch: Scanning 1 messages,
26347 bytes
Sep  8 06:09:29 melkart MailScanner[2699]: Virus and Content Scanning:
Starting
Sep  8 06:09:29 melkart postfix/smtpd[4111]: connect from
unknown[192.168.0.18]
Sep  8 06:09:29 melkart MailScanner[2699]: Requeue: BB75C1B819A to
D5A311B819D
Sep  8 06:09:29 melkart postfix/qmgr[2648]: D5A311B819D:
from=<email at domain.com>, size=25914, nrcpt=4 (queue active)
Sep  8 06:09:29 melkart MailScanner[2699]: Uninfected: Delivered 1 messages
Sep  8 06:09:29 melkart postfix/smtpd[4111]: 6C3411B819A:
client=unknown[192.168.0.18]
Sep  8 06:09:29 melkart postfix/local[4123]: D5A311B819D:
to=<email at domain.com>, relay=local, delay=1, status=sent (delivered to
command: /usr/local/bin/maildrop)

--------> cut <---------

If anyone can help, it'll great =)

Regards,

Ignacio

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list