Problem with AVG scanner - MailScanner does not recognize virus

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jan 30 19:00:23 GMT 2006 

There is a slight adaptation that needs to be written for the output 
parser as well.
  return 0 unless $line =~ /Virus identified +(.+)$/;
instead of the line very like it at the top of ProcessAvgOutput in 
SweepViruses.pm.

This will be in the next release.

Vladimir M Costa wrote:
> Pavel,
>
>
> 	For AVG for linux versions 7.0.12 and higher, new instalation 
> is into /opt/grisoft/avg7 subtree.
>
> Change the installation directory in the configuration file 
> /etc/Mailscanner/virus.scanners.conf to /opt/grisoft/avg7
>
>
> regards,
>
> Vladimir M Costa
>
>   
>> Hi there!
>>
>> I am using Mailscanner (currently updated to beta 4.50.12) with two virus
>> scanners - AVG and Bitdefender.
>> It seems to me, that from certain update of AVG system MailScanner stoped
>> recognizing viruses identified by AVG.
>>
>> I tested it by sending eicar to me.
>>
>> Message was processed by MS and in /tmp dir I have found log from AVG
>> scanning:
>>
>> avg log file (/tmp/log.avg.29936):
>> ----------------------------------------------------------------------------
>> -
>> AVG  7.1 Anti-Virus
>> Copyright (c) GRISOFT,s.r.o. 2005
>> Program version 7.1.23  Engine: 718 database version 267.14.23/243
>> Command line: [-report /tmp/log.avg.29936 -arc -ext=* .]
>> "./k0UF45M29934/eicar.com"  Virus identified EICAR_Test
>>
>>
>> ------------------------------------------------------------
>> Test start Mon Jan 30 16:04:15 2006
>>
>> Elapsed time 0 sec.
>> ------------------------------------------------------------
>> Scanned         files      :    3
>> Scanned         sectors    :    0
>> Infected        files      :    1
>> Infected        sectors    :    0
>> ------------------------------------------------------------
>>
>> Acording to this log, AVG detected eicar, but MS did not recognize that AVG
>> found virus.
>> Here are maillog entries for that batch:
>> -----------------------------------------------------------------------
>> Jan 30 16:04:13 server MailScanner[29912]: New Batch: Scanning 1 messages,
>> 3946 bytes
>> Jan 30 16:04:13 server MailScanner[29912]: MCP Checks completed at 12453516
>> bytes per second
>> Jan 30 16:04:13 server MailScanner[29912]: Spam Checks: Starting
>> Jan 30 16:04:13 server MailScanner[29912]: SpamAssassin cache hit for
>> message k0UF45M29934
>> Jan 30 16:04:14 server MailScanner[29912]: Spam Checks completed at 17675
>> bytes per second
>> Jan 30 16:04:14 server MailScanner[29912]: Virus and Content Scanning:
>> Starting
>> Jan 30 16:04:18 server MailScanner[29912]: k0UF45M29934/eicar.com:infected:
>> EICAR-Test-File (not a virus)
>> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Bitdefender found
>> 1 infections
>> Jan 30 16:04:18 server MailScanner[29912]: Infected message k0UF45M29934
>> came from 69.20.55.130
>> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning: Found 1 viruses
>> Jan 30 16:04:18 server MailScanner[29912]: Virus Scanning completed at 891
>> bytes per second
>> Jan 30 16:04:18 server MailScanner[29912]: Saved entire message to
>> /home/data/mailscanner/quarantine/20060130/k0UF45M29934
>> Jan 30 16:04:18 server MailScanner[29912]: Saved infected "eicar.com" to
>> /home/data/mailscanner/quarantine/20060130/k0UF45M29934
>> Jan 30 16:04:18 server MailScanner[29912]: Viruses marked as silent:
>> Bitdefender: Found virus EICAR-Test-File (not a virus) in file eicar.com
>> Jan 30 16:04:18 server sendmail[29943]: k0UF4Ie29943:
>> from=postmaster at trul.cz, size=1447, class=0, nrcpts=1,
>> msgid=<200601301504.k0UF4Ie29943 at server.trul>, relay=root at localhost
>> Jan 30 16:04:18 server MailScanner[29912]: Notices: Warned about 1 messages
>> Jan 30 16:04:18 server MailScanner[29912]: Virus Processing completed at
>> 22175 bytes per second
>> Jan 30 16:04:18 server MailScanner[29912]: Disinfection completed at
>> 23212796 bytes per second
>> Jan 30 16:04:18 server MailScanner[29912]: Batch completed at 794 bytes per
>> second (3946 / 4)
>> Jan 30 16:04:18 server MailScanner[29912]: Batch processed in 4.97 seconds
>> Jan 30 16:04:18 server MailScanner[29912]: "Always Looked Up Last" took 0.00
>> seconds
>> ----------------------------------------------------------------------------
>> ---------
>>
>> So if I am right, then MS reconizes that only Bitdefender found virus,
>> however AVG found that too (according to log).
>>
>> I have run AVG via wrapper on whole quarantine dir and got this:
>> ----------------------------------------------------------------------
>> [root at server quarantine]# /usr/lib/MailScanner/avg-wrapper /usr/local .
>> AVG7 Anti-Virus command line scanner
>> Copyright (c) 2005 GRISOFT, s.r.o.
>> Program version 7.1.23, engine 718
>> Virus Database: Version 267.14.23/243  2006-01-27
>> License type is FULL for SERVER.
>> Expiration day: 25. 10. 2007
>> ./20060124/spam/k0O2Fbq19306  Virus found Worm/Feebs
>> ./20060124/spam/k0OD9Cq01779  Virus found Worm/Feebs
>> ./20060124/spam/k0ODACq01874  Virus found Worm/Feebs
>> ./20060125/k0PAM9829845/eicar.com  Virus identified EICAR_Test
>> ./20060125/k0PAM9829845/message  Virus identified EICAR_Test (+1)
>> ./20060125/k0PAeen30411/eicar.com  Virus identified EICAR_Test
>> ./20060125/k0PAeen30411/message  Virus identified EICAR_Test (+1)
>> ./20060125/nonspam/k0PAM9829845  Virus identified EICAR_Test (+1)
>> ./20060125/nonspam/k0PAeen30411  Virus identified EICAR_Test (+1)
>> ./20060125/nonspam/k0PIOtn08366  Virus found Worm/Feebs
>> ./20060125/spam/k0PA5cq29321  Virus found Worm/Feebs
>> ./20060130/k0UEuSM29727/eicar.com  Virus identified EICAR_Test
>> ./20060130/k0UEuSM29727/message  Virus identified EICAR_Test (+1)
>> ./20060130/k0UF45M29934/eicar.com  Virus identified EICAR_Test
>> ./20060130/k0UF45M29934/message  Virus identified EICAR_Test (+1)
>> ./20060130/nonspam/k0UEuSM29727  Virus identified EICAR_Test (+1)
>> ./20060130/nonspam/k0UF45M29934  Virus identified EICAR_Test (+1)
>> Tested: 2660 files, 0 sectors
>> Infections: 17
>> Errors: 0
>> ------------------------------------------------------------------------
>>
>> So I think that there is problem in parsing AVG output in MS.
>>
>> And 1 more problem with avg-wrapper - it does not delete report files in
>> /tmp dir. Files are staying there until manualy deleted.
>>
>> With regards
>> Pavel Zichovsky (zichovsky at trul)
>>  
>>
>>     
>
>   

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list