Anti-virus woes...

Ken Goods KGoods at AIAINSURANCE.COM
Wed Nov 30 16:47:05 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Glenn Steen wrote:
> On 29/11/05, Ken Goods <KGoods at aiainsurance.com> wrote:
>> Greetings list...
>> 
snip....
> 
> Well, something is defuinitely up... The perinent part of the script
> looks like: ----------
> umask 077
> ${PackageDir}/$prog --log=$LogFile "$@" >/dev/null 2>&1
> cat $LogFile
> rm  $LogFile
> exit 0
> ----------
> So if the bdc program ($prog) is unable to create the file $LogFile
> (/tmp/log.bdc.$$ more or less), you will not see why because of the
> ">/dev/null 2>&1" construct (which will print any direct output to
> STDOUT and STDERR to the bit-bucket). Try running
> /opt/bdc/bdc --log=/tmp/anyfilename --all
>
/var/spool/MailScanner/quarantine/20051129/jATKRZ2n029044/File-packed_dataIn
fo.exe
> .... and see what it carps about.
> 
snip...
> You need specify a scan option ... "--all" isn't a bad choice:-)
> 
> Probably due to your initial troubles... Which we can hope are related
> to permissions on /tmp.
> 
> (snip)

First.. thanks to all who responded and for the excellent suggestions for
debugging.

Update.. bitdefender is working and caught it's first virus through
MailScanner at 10:18pm PST last night. I thought I had restarted MS after
making a change to virus.scanners.conf but maybe not. 
I had mistakenly entered the path all the way to the bdc program instead of
just the path.. i.e.

bitdefender     /usr/lib/MailScanner/bitdefender-wrapper /opt/bdc/bdc <-
*here*

Must have got going after MailScanner's normal restart. 

But for ClamAV still no joy.

I'll answer everyone's questions here.

Ugo, 
virus.scanners.conf looks good and ClamAV seems to be updating fine
according to the output of update_virus_scanners in the log. 
Nov 30 08:09:06 gw-mail update.virus.scanners: Found bitdefender installed
Nov 30 08:09:06 gw-mail update.virus.scanners: Running autoupdate for
bitdefender
Nov 30 08:09:33 gw-mail BitDefender-autoupdate[14702]: BitDefender starting
update
Nov 30 08:09:37 gw-mail BitDefender-autoupdate[14702]: BitDefender updated
Nov 30 08:10:24 gw-mail update.virus.scanners: Found clamav installed
Nov 30 08:10:24 gw-mail update.virus.scanners: Running autoupdate for clamav
Nov 30 08:10:25 gw-mail ClamAV-autoupdate[14719]: ClamAV did not need
updating


Glenn,
[root at gw-mail root]# which clamscan
/usr/local/bin/clamscan
Could this be a problem? I installed ClamAV & SA using Julian's script
thinking that this would take care of the path problems that I have ran into
before. I'm running RH9.0 if it matters...

[root at gw-mail root]# /opt/bdc/bdc --log=/tmp/testbdc --all
/var/spool/MailScanner/quarantine/20051129/jATKRZ2n029044/File-packed_dataIn
fo.exe
BDC/Linux-Console v7.1 (build 2559) (i386) (Jul  6 2005 16:28:53)
Copyright (C) 1996-2004 SOFTWIN SRL. All rights reserved.
Warning: unknown parameter: --all

/var/spool/MailScanner ... le-packed_dataInfo.exe  infected:
Win32.Sober.AD at mm


Results:
Folders           :0
Files             :1
Packed            :0
Infected files    :1
Suspect files     :0
Warnings          :0
Identified viruses:1
I/O errors        :0

Works fine but seems like it doesn't like the --all parameter for some
reason... I had tried that yesterday.

And the testbdc file looks like this...

[root at gw-mail tmp]# cat testbdc
//
// BDC scan report
//
// Time: Wed Nov 30 07:49:14 2005
// Command line: --log=/tmp/testbdc --all
/var/spool/MailScanner/quarantine/20051129/jATKRZ2n029044/File-packed_dataIn
fo.exe
// Core: AVCORE v1.0 (build 2266) (i386) (Mar  1 2005 19:34:16)
// Engines: scan: 13, unpack: 4, archive: 39, mail: 6
// Total signatures: 236610
//

/var/spool/MailScanner/quarantine/20051129/jATKRZ2n029044/File-packed_dataIn
fo.exe      infected: Win32.Sober.AD at mm


Results:
Folders           :0
Files             :1
Packed            :0
Infected files    :1
Suspect files     :0
Warnings          :0
Identified viruses:1
I/O errors        :0

But like I said, bitdefender seems to be working through MailScanner this
morning. So all is hopefully well with bdc...

Kevin,
[root at gw-mail root]# clamscan --debug 2>&1 | head -n 1
LibClamAV debug: Loading databases from /var/clamav

and an ls -l gives:
[root at gw-mail log]# cd /var/clamav
[root at gw-mail clamav]# ls -l
total 8200
-rw-r--r--    1 clamav   clamav     175561 Nov 29 02:15 daily.cvd
-rw-r--r--    1 clamav   clamav     177776 Nov  9  2004 daily.cvd.old
-rw-r--r--    1 clamav   clamav     154914 May 16  2005 daily.cvd.rpmnew
-rw-r--r--    1 clamav   clamav     198913 Apr 10  2005 daily.cvd.rpmsave
-rw-r--r--    1 clamav   clamav    2560365 Sep 10 07:08 main.cvd
-rw-r--r--    1 clamav   clamav    1284637 Sep 16  2004 main.cvd.old
-rw-r--r--    1 clamav   clamav    2014018 May 16  2005 main.cvd.rpmnew
-rw-r--r--    1 clamav   clamav    1784802 Mar  7  2005 main.cvd.rpmsave
[root at gw-mail clamav]#

I assume this is ok. Where are the paths to the databases and clamscan
configured for MailScanner? I should probably double check that they are
correct.

Thanks all,
Ken

Ken Goods
Network Administrator
AIA/CropUSA Insurance, Inc.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list