Problem with AVG scanner - MailScanner does not recognize virus

Vladimir M Costa vlad at univap.br
Mon Jan 30 18:41:42 GMT 2006 

Pavel,


	For AVG for linux versions 7.0.12 and higher, new instalation 
is into /opt/grisoft/avg7 subtree.

Change the installation directory in the configuration file 
/etc/Mailscanner/virus.scanners.conf to /opt/grisoft/avg7


regards,

Vladimir M Costa

> Hi there!
> 
> I am using Mailscanner (currently updated to beta 4.50.12) with two virus
> scanners - AVG and Bitdefender.
> It seems to me, that from certain update of AVG system MailScanner stoped
> recognizing viruses identified by AVG.
> 
> I tested it by sending eicar to me.
> 
> Message was processed by MS and in /tmp dir I have found log from AVG
> scanning:
> 
> avg log file (/tmp/log.avg.29936):
> ----------------------------------------------------------------------------
> -
> AVG  7.1 Anti-Virus
> Copyright (c) GRISOFT,s.r.o. 2005
> Program version 7.1.23  Engine: 718 database version 267.14.23/243
> Command line: [-report /tmp/log.avg.29936 -arc -ext=* .]
> "./k0UF45M29934/eicar.com"  Virus identified EICAR_Test
> 
> 
> ------------------------------------------------------------
> Test start Mon Jan 30 16:04:15 2006
> 
> Elapsed time 0 sec.
> ------------------------------------------------------------
> Scanned         files      :    3
> Scanned         sectors    :    0
> Infected        files      :    1
> Infected        sectors    :    0
> ------------------------------------------------------------
> 
> Acording to this log, AVG detected eicar, but MS did not recognize that AVG
> found virus.
> Here are maillog entries for that batch:
> -----------------------------------------------------------------------
> Jan 30 16:04:13 server MailScanner[29912]: New Batch: Scanning 1 messages,
> 3946 bytes
> Jan 30 16:04:13 server MailScanner[29912]: MCP Checks completed at 12453516
> bytes per second
> Jan 30 16:04:13 server MailScanner[29912]: Spam Checks: Starting
> Jan 30 16:04:13 server MailScanner[29912]: SpamAssassin cache hit for
> message k0UF45M29934
> Jan 30 16:04:14 server MailScanner[29912]: Spam Checks completed at 17675
> bytes per second
> Jan 30 16:04:14 server MailScanner[29912]: Virus and Content Scanning:
> Starting
> Jan 30 16:04:18 server MailScanner[29912]: k0UF45M29934/eicar.com:infected:
> EICAR-Test-File (not a virus)
> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Bitdefender found
> 1 infections
> Jan 30 16:04:18 server MailScanner[29912]: Infected message k0UF45M29934
> came from 69.20.55.130
> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Found 1 viruses
> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning completed at 891
> bytes per second
> Jan 30 16:04:18 server MailScanner[29912]: Saved entire message to
> /home/data/mailscanner/quarantine/20060130/k0UF45M29934
> Jan 30 16:04:18 server MailScanner[29912]: Saved infected "eicar.com" to
> /home/data/mailscanner/quarantine/20060130/k0UF45M29934
> Jan 30 16:04:18 server MailScanner[29912]: Viruses marked as silent:
> Bitdefender: Found virus EICAR-Test-File (not a virus) in file eicar.com
> Jan 30 16:04:18 server sendmail[29943]: k0UF4Ie29943:
> from=postmaster at trul.cz, size=1447, class=0, nrcpts=1,
> msgid=<200601301504.k0UF4Ie29943 at server.trul>, relay=root at localhost
> Jan 30 16:04:18 server MailScanner[29912]: Notices: Warned about 1 messages
> Jan 30 16:04:18 server MailScanner[29912]: Virus Processing completed at
> 22175 bytes per second
> Jan 30 16:04:18 server MailScanner[29912]: Disinfection completed at
> 23212796 bytes per second
> Jan 30 16:04:18 server MailScanner[29912]: Batch completed at 794 bytes per
> second (3946 / 4)
> Jan 30 16:04:18 server MailScanner[29912]: Batch processed in 4.97 seconds
> Jan 30 16:04:18 server MailScanner[29912]: "Always Looked Up Last" took 0.00
> seconds
> ----------------------------------------------------------------------------
> ---------
> 
> So if I am right, then MS reconizes that only Bitdefender found virus,
> however AVG found that too (according to log).
> 
> I have run AVG via wrapper on whole quarantine dir and got this:
> ----------------------------------------------------------------------
> [root at server quarantine]# /usr/lib/MailScanner/avg-wrapper /usr/local .
> AVG7 Anti-Virus command line scanner
> Copyright (c) 2005 GRISOFT, s.r.o.
> Program version 7.1.23, engine 718
> Virus Database: Version 267.14.23/243  2006-01-27
> License type is FULL for SERVER.
> Expiration day: 25. 10. 2007
> ./20060124/spam/k0O2Fbq19306  Virus found Worm/Feebs
> ./20060124/spam/k0OD9Cq01779  Virus found Worm/Feebs
> ./20060124/spam/k0ODACq01874  Virus found Worm/Feebs
> ./20060125/k0PAM9829845/eicar.com  Virus identified EICAR_Test
> ./20060125/k0PAM9829845/message  Virus identified EICAR_Test (+1)
> ./20060125/k0PAeen30411/eicar.com  Virus identified EICAR_Test
> ./20060125/k0PAeen30411/message  Virus identified EICAR_Test (+1)
> ./20060125/nonspam/k0PAM9829845  Virus identified EICAR_Test (+1)
> ./20060125/nonspam/k0PAeen30411  Virus identified EICAR_Test (+1)
> ./20060125/nonspam/k0PIOtn08366  Virus found Worm/Feebs
> ./20060125/spam/k0PA5cq29321  Virus found Worm/Feebs
> ./20060130/k0UEuSM29727/eicar.com  Virus identified EICAR_Test
> ./20060130/k0UEuSM29727/message  Virus identified EICAR_Test (+1)
> ./20060130/k0UF45M29934/eicar.com  Virus identified EICAR_Test
> ./20060130/k0UF45M29934/message  Virus identified EICAR_Test (+1)
> ./20060130/nonspam/k0UEuSM29727  Virus identified EICAR_Test (+1)
> ./20060130/nonspam/k0UF45M29934  Virus identified EICAR_Test (+1)
> Tested: 2660 files, 0 sectors
> Infections: 17
> Errors: 0
> ------------------------------------------------------------------------
> 
> So I think that there is problem in parsing AVG output in MS.
> 
> And 1 more problem with avg-wrapper - it does not delete report files in
> /tmp dir. Files are staying there until manualy deleted.
> 
> With regards
> Pavel Zichovsky (zichovsky at trul)
>  
>

More information about the MailScanner mailing list