worm emails marked as possible spam

Ken Goods KGoods at AIAINSURANCE.COM
Fri Dec 2 16:13:13 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

IT Dept wrote:
> Ken Goods wrote:
> 
>> In my case I had two versions of ClamAV running on my machine and
>> running scanscan from the command line would use the newer version
>> and catch the viruses but MailScanner using the wrapper was using
>> the older version and wouldn't. 
>> 
>> Thanks to the sharp eye (and much more experience) of Glenn Steen,
>> the light bulb finally went off. If you think there's any chance of
>> this being your problem take a look at the Antivirus woes... thread
>> from yesterday. 
>> 
>> 
> Ken,
> 
> You may be on to something here. If I do:
> 
> # rpm -qa | grep -i clam
> webppliance-clamav-frontend-3.7.1-10
> clamav-0.65-4
> webppliance-clamav-3.7.1-10
> 
> According to RPM, I have 0.65-4 of ClamAV installed, but from the
> shell, I get something different:
> 
> # clamscan --version
> ClamAV 0.87.1/1200/Thu Dec  1 09:26:35 2005
> 
> Unfortunately, I don't have yesterday's threads (this mailbox got a
> bit overstuffed), so I missed a bunch. Any hints on how to resolve?
> 
> Thanks,
> Chris

Good morning Chris,

I simply did a rpm -e to remove the old one (actually I did a rpm -evv -test
first just to see what was going to happen). then I changed the
virus.scanner.conf to point to the correct path of Clam 87.1 and then for
good measure I ran Julian's install ClamAV-SA script again. All is well now.
I'll copy in the message from Glenn that did the trick for me.

Message from Glenn:

On 30/11/05, Ken Goods <KGoods at aiainsurance.com> wrote:
> Glenn Steen wrote:
> > On 29/11/05, Ken Goods <KGoods at aiainsurance.com> wrote:
> >> Greetings list...
(snip)
>
> First.. thanks to all who responded and for the excellent suggestions for
> debugging.
>
> Update.. bitdefender is working and caught it's first virus through
> MailScanner at 10:18pm PST last night. I thought I had restarted MS after
> making a change to virus.scanners.conf but maybe not.
> I had mistakenly entered the path all the way to the bdc program instead
of
> just the path.. i.e.
>
> bitdefender     /usr/lib/MailScanner/bitdefender-wrapper /opt/bdc/bdc <-
> *here*
>
> Must have got going after MailScanner's normal restart.

Ah, good.

>
> But for ClamAV still no joy.
>
> I'll answer everyone's questions here.
>
> Ugo,
> virus.scanners.conf looks good and ClamAV seems to be updating fine
> according to the output of update_virus_scanners in the log.
> Nov 30 08:09:06 gw-mail update.virus.scanners: Found bitdefender installed
> Nov 30 08:09:06 gw-mail update.virus.scanners: Running autoupdate for
> bitdefender
> Nov 30 08:09:33 gw-mail BitDefender-autoupdate[14702]: BitDefender
starting
> update
> Nov 30 08:09:37 gw-mail BitDefender-autoupdate[14702]: BitDefender updated
> Nov 30 08:10:24 gw-mail update.virus.scanners: Found clamav installed
> Nov 30 08:10:24 gw-mail update.virus.scanners: Running autoupdate for
clamav
> Nov 30 08:10:25 gw-mail ClamAV-autoupdate[14719]: ClamAV did not need
> updating
>

Yes, but which one is it updating?

> Glenn,
> [root at gw-mail root]# which clamscan
> /usr/local/bin/clamscan
> Could this be a problem? I installed ClamAV & SA using Julian's script
> thinking that this would take care of the path problems that I have ran
into
> before. I'm running RH9.0 if it matters...

Just to be "specific", this is what you've reported having in the
virus.scanners.conf:
clamav          /usr/lib/MailScanner/clamav-wrapper     /usr

And as you've shown above, the wrapper can use this to find a
(probably RPM-installed) clamav (actually clamscan) in /usr/bin ...
However, the above shows that /usr/local/bin comes before /usr/bin in
your PATH, and there you have another install of clamav... Which is
used when invoking clamscan from the command line.

If you are to use the same clamscan as from the command line, you need
change that to
clamav          /usr/lib/MailScanner/clamav-wrapper     /usr/local

.... I would recommend that you also remove every last trace of any
clamav RPM install and, after doing that, reinstall Jules package (in
case the rpm -e has ... made something crucial ... go away:).

Which signature files are used is the next thing to look at... I don't
remember if the RPM versions of clamav floating around are split into
one program package and one "database" package, or if it's a
monolithic thing (I've been building this from source a long time
now... Can't really wait for someone to package it for me... Well,
perhaps excepting Jules;). If it is a separate package, remove that
one too.... Probably should do that at the same time the program goes.

>
> [root at gw-mail root]# /opt/bdc/bdc --log=/tmp/testbdc --all
>
/var/spool/MailScanner/quarantine/20051129/jATKRZ2n029044/File-packed_dataIn
> fo.exe
> BDC/Linux-Console v7.1 (build 2559) (i386) (Jul  6 2005 16:28:53)
> Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.
> Warning: unknown parameter: --all
(snip)
> Works fine but seems like it doesn't like the --all parameter for some
> reason... I had tried that yesterday.

Quirky... Oh well, probably nothing to worry about (I've checked, and
mine accept both "--all" and "-all", without the citation marks (of
course)).

(snip)
> But like I said, bitdefender seems to be working through MailScanner this
> morning. So all is hopefully well with bdc...
>
> Kevin,
> [root at gw-mail root]# clamscan --debug 2>&1 | head -n 1
> LibClamAV debug: Loading databases from /var/clamav
>
> and an ls -l gives:
> [root at gw-mail log]# cd /var/clamav
> [root at gw-mail clamav]# ls -l
> total 8200
> -rw-r--r--    1 clamav   clamav     175561 Nov 29 02:15 daily.cvd
> -rw-r--r--    1 clamav   clamav     177776 Nov  9  2004 daily.cvd.old
> -rw-r--r--    1 clamav   clamav     154914 May 16  2005 daily.cvd.rpmnew
> -rw-r--r--    1 clamav   clamav     198913 Apr 10  2005 daily.cvd.rpmsave
> -rw-r--r--    1 clamav   clamav    2560365 Sep 10 07:08 main.cvd
> -rw-r--r--    1 clamav   clamav    1284637 Sep 16  2004 main.cvd.old
> -rw-r--r--    1 clamav   clamav    2014018 May 16  2005 main.cvd.rpmnew
> -rw-r--r--    1 clamav   clamav    1784802 Mar  7  2005 main.cvd.rpmsave
> [root at gw-mail clamav]#
>
> I assume this is ok. Where are the paths to the databases and clamscan
> configured for MailScanner? I should probably double check that they are
> correct.
>
> Thanks all,
> Ken
(snip)
I wouldn't be so sure that it's OK. What does
/usr/bin/clamscan --version
and
/usr/local/bin/clamscan --version
give? I'm pretty sure it'll show a less than optimal combination in
the first instance... Which is why you probably should take my advice
above and go for "only one clamav on this system";-).

Cheers
--
-- Glenn

Hope this gets you all fixed up!
Kind regards,
Ken



Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list