MailScanner 4.33.3-1 & NOD32 2.04-1

Julian Field mailscanner at ecs.soton.ac.uk
Tue Sep 14 15:11:29 IST 2004 

The wonderful folks at NOD32 have gone and completely changed their output
format, yet again. They must have teams of people just dedicated to
changing stuff.

Please try the attached patch to SweepViruses.pm.

At 10:32 14/09/2004, you wrote:
>Any answer? :-\
>
>----- Original Message -----
>From: "Ignacio M. Sbampato" <listas at VIRUSATTACK.COM.AR>
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Sent: Wednesday, September 08, 2004 1:21 AM
>Subject: MailScanner 4.33.3-1 & NOD32 2.04-1
>
>
> > Guys,
> >
> > i'm having some troubles with latest version of NOD32 & MailScanner (fresh
> > install). MailScanner is running and processing emails (according to logs
> > and emails headers) and it's running NOD32 (according to nod32.log - i
> > modified nod32-wrapper to write in the log with param --log) but the virus
> > aren't detected (subjet isn't being modified with {VIRUS?}text) or deleted
> > from messages.
> >
> > I'm using NOD32 2.04-1 (latest), so i configured MailScanner.conf to use
> > nod32-1.99 as Virus Scanner. Virus Scanning is turned on.
> >
> > I noted some differences between current nod32.log and the one was
>generated
> > by previous versions of NOD32 (like the first 1.99). Now, NOD32 is
> > generating log file as following:
> >
> > --------> cut <---------
> >
> > Signatures database module, version 1.864 (20040907).
> > Archives support module, version 1.019 (20040823).
> > Advanced heuristics module, version 1.010 (20040902).
> >
> > Command line: --log --arch --all
> >
> > Scanning started on 09-08-2004, 06:09:29
> > object="file",
> > name="/var/spool/MailScanner/incoming/2699/BB75C1B819A/your_letter.pif",
> > virus="Win32/Netsky.D worm", action="", info="", lines=0
> >
> > Scanning finished at 06:09:29, total time: 0 sec (0:00:00)
> > Total files:    3
> > Infected files: 1
> > Cleaned files:  0
> >
> > --------> cut <---------
> >
> > Could be this the problem?
> >
> > According to 'man nod32' command, the return codes of NOD32 on-demmand
> > scanner (/usr/sbin/nod32) are the following:
> >
> > --------> cut <---------
> >
> >        0   - Everything ok, no viruses found.
> >        1   - All viruses were cleaned.
> >        10  - At least one virus was found.
> >        100 - Internal error occurred, no scanning performed.
> >        101 - Error occurred during archives unpacking, no scanning
> > performed.
> >
> > --------> cut <---------
> >
> > Are those the return codes expected by MailScanner?
> >
> > The following is some information extracted from 'maillog' related to
> > previous message NOD32 scanning result:
> >
> > --------> cut <---------
> >
> > Sep  8 06:09:28 melkart MailScanner[2699]: New Batch: Scanning 1 messages,
> > 26347 bytes
> > Sep  8 06:09:29 melkart MailScanner[2699]: Virus and Content Scanning:
> > Starting
> > Sep  8 06:09:29 melkart postfix/smtpd[4111]: connect from
> > unknown[192.168.0.18]
> > Sep  8 06:09:29 melkart MailScanner[2699]: Requeue: BB75C1B819A to
> > D5A311B819D
> > Sep  8 06:09:29 melkart postfix/qmgr[2648]: D5A311B819D:
> > from=<email at domain.com>, size=25914, nrcpt=4 (queue active)
> > Sep  8 06:09:29 melkart MailScanner[2699]: Uninfected: Delivered 1
>messages
> > Sep  8 06:09:29 melkart postfix/smtpd[4111]: 6C3411B819A:
> > client=unknown[192.168.0.18]
> > Sep  8 06:09:29 melkart postfix/local[4123]: D5A311B819D:
> > to=<email at domain.com>, relay=local, delay=1, status=sent (delivered to
> > command: /usr/local/bin/maildrop)
> >
> > --------> cut <---------
> >
> > If anyone can help, it'll great =)
> >
> > Regards,
> >
> > Ignacio
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

    [ Part 2, Application/OCTET-STREAM (Name: "SweepViruses.pm.patch")  ]
    [ 1.3KB. ]
    [ Unable to print this part. ]


    [ Part 3: "Attached Text" ]

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

More information about the MailScanner mailing list