MailScanner --lint doesn't check Eicar virus - OK here!
Michael Mansour
micoots at yahoo.com
Fri Dec 7 02:05:45 GMT 2007
Hi Phil,
--- "Randal, Phil" <prandal at herefordshire.gov.uk>
wrote:
> I've finally tracked this down:
>
> yumming from the rpmforge repo had updated
> perl-MIME-Tools to version
> 5.424.
>
> Downgrading to 5.420 made things work:
I'm so glad you worked this one out. I also did the
downgrade and discovered that the "block of wmv files"
subject I'd sent through the list also was resolved
ie. blocking attachments was now working again.
What you, and anyone else using the perl-MIME-tools
update would have found is, that you weren't actually
blocking any attachments anymore, as for me this is
what had happened.
You see, the reason the Eicar virus test was failing
was because the MIME checking was broken with the
perl-MIME-tools update.
I asked this question previously in the "block of wmv
files" subject in the mailing list, asking/commenting
that I couldn't be the only one experiencing this
problem but others either didn't test it or were
oblivious to the fact that attachment checking was no
longer working for them.
With this trouble-shooting and resolution (and letting
us know about it here), you've hit at least 2 birds
with the one stone.
Good work mate and thanks again.
Michael.
> # MailScanner --lint
> Trying to setlogsock(unix)
> Checking version numbers...
> Version number in MailScanner.conf (4.66.2) is
> correct.
>
> Your envelope_sender_header in
> spam.assassin.prefs.conf is correct.
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin reported no errors.
> MailScanner.conf says "Virus Scanners = clamavmodule
> mcafee"
> Found these virus scanners installed: clamavmodule,
> mcafee
>
========================================================================
> ===
>
========================================================================
> ===
>
> If any of your virus scanners (clamavmodule,mcafee)
> are not listed there, you should check that they are
> installed correctly
> and that MailScanner is finding them correctly via
> its
> virus.scanners.conf.
> [root at mx1 src]# rpm -Uvh
> perl-MIME-tools-5.420-2.el5.rf.noarch.rpm
> --force
> Preparing...
> ###########################################
> [100%]
> 1:perl-MIME-tools
> ###########################################
> [100%]
> [root at mx1 src]# MailScanner --lint
> Trying to setlogsock(unix)
> Checking version numbers...
> Version number in MailScanner.conf (4.66.2) is
> correct.
>
> Your envelope_sender_header in
> spam.assassin.prefs.conf is correct.
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin reported no errors.
> MailScanner.conf says "Virus Scanners = clamavmodule
> mcafee"
> Found these virus scanners installed: clamavmodule,
> mcafee
>
========================================================================
> ===
>
========================================================================
> ===
> Virus Scanner test reports:
> ClamAVModule said "eicar.com was infected:
> Eicar-Test-Signature"
> McAfee said "/1/eicar.com Found: EICAR test
> file NOT a virus."
>
> If any of your virus scanners (clamavmodule,mcafee)
> are not listed there, you should check that they are
> installed correctly
> and that MailScanner is finding them correctly via
> its
> virus.scanners.conf.
>
> This might have had other side-effects other than
> the antivirus lint.
>
> Cheers,
>
> Phil
> --
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
>
>
> ________________________________
>
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]
> On Behalf Of Randal,
> Phil
> Sent: 29 November 2007 13:58
> To: MailScanner discussion
> Subject: RE: MailScanner --lint doesn't check Eicar
> virus - OK
> here!
>
>
> Michael,
>
> Which version of RedHat are you running?
>
> I see the problem on CentOS 5.0.
>
> It may a side effect of force-installing the perl
> update.
>
> It would be nice to know what's actually happening
> and what the
> fix is, though. I'm not a perl guru so it's beyond
> me.
>
> Cheers,
>
> Phil
> --
> Phil Randal
> Network Engineer
> Herefordshire Council
> Hereford, UK
>
>
>
> ________________________________
>
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]
> On Behalf Of Michael
> Mansour
> Sent: 29 November 2007 06:13
> To: MailScanner discussion
> Subject: RE: MailScanner --lint doesn't check
> Eicar
> virus - OK here!
>
>
> Hi Quentin,
>
> Quentin Campbell <Q.G.Campbell at newcastle.ac.uk>
> wrote:
>
> Phil
>
> It appears to work here. I get a different
> result to you:
>
>
> This is very strange then.
>
> This begs the question, in what cases does this
> --lint
> fail with the Eicar virus check?
>
> I'm pretty sure I saw the test pass with Eicar in
> there
> when I upgraded to MailScanner 4.65.3 (not certain
> but pretty sure), but
> only recently noticed that Eicar was no longer
> there. This may have
> happened after some perl errata upgrades on Linux
> recently released by
> Red Hat.
>
> I'm just interested to know now that if this is
> the
> case, then was would cause that symptom and is it
> causing other problems
> I can't see?
>
> Michael.
>
>
> [root at cheviot4 MailScanner]# MailScanner --lint
> Checking version numbers...
> Version number in MailScanner.conf (4.65.3) is
> correct.
>
> Your envelope_sender_header in
> spam.assassin.prefs.conf is correct.
>
> Checking for SpamAssassin errors (if you use
> it)...
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin reported no errors.
> MailScanner.conf says "Virus Scanners =
> clamavmodule mcafee"
> Found these virus scanners installed:
> clamavmodule, mcafee
>
>
========================================================================
> ===
>
>
========================================================================
> ===
> Virus Scanner test reports:
> ClamAVModule said "eicar.com was infected:
> Eicar-Test-Signature"
> McAfee said "/1/eicar.com Found: EICAR test file
> NOT a virus."
>
> If any of your virus scanners
> (clamavmodule,mcafee)
> are not listed there, you should check that they
> are installed correctly
> and that MailScanner is finding them correctly
> via its virus.scanners.conf.
> [root at cheviot4 MailScanner]#
>
> Quentin
> ---
> PHONE: +44 191 222 8209 Information Systems
> and Services (ISS),
> Newcastle University,
> Newcastle upon Tyne,
> FAX: +44 191 222 8765 United Kingdom, NE1
> 7RU.
>
>
------------------------------------------------------------------------
>
>
>
>
>
> >-----Original Message-----
> >From:
> mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-
> >bounces at lists.mailscanner.info] On Behalf Of
> Randal, Phil
> >Sent: 28 November 2007 14:10
> >To: MailScanner discussion
> >Subject: RE: MailScanner --lint doesn't check
> Eicar virus
> >
> >Well spotted!
> >
> >Confirming that it is broken in 4.65.3
> >
> ># MailScanner --lint
> >Checking version numbers...
> >Version number in MailScanner.conf (4.65.3) is
> correct.
> >
> >Your envelope_sender_header in
> spam.assassin.prefs.conf is correct.
> >
> >Checking for SpamAssassin errors (if you use
> it)...
> >SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-
> >Temp
> >SpamAssassin reported no errors.
> >MailScanner.conf says "Virus Scanners =
> clamavmodule mcafee"
> >Found these virus scanners installed:
> clamavmodule, mcafee
>
>
>=======================================================================
> =
> >===
>
>
>=======================================================================
> =
> >===
> >
> >If any of your virus scanners
> (clamavmodule,mcafee)
> >are not listed there, you should check that
> they are installed correctly
> >and that MailScanner is finding them correctly
> via its
> >virus.scanners.conf.
> >
> >Cheers,
> >
> >Phil
> >
> >--
> >Phil Randal
> >Network Engineer
> >Herefordshire Council
> >Hereford, UK
> >
> >
> >
> >
> >
> >________________________________
> >
> > From:
> mailscanner-bounces at lists.mailscanner.info
>
> >[mailto:mailscanner-bounces at lists.mailscanner.info]
> On Behalf Of
> Michael
> >Mansour
> > Sent: 28 November 2007 14:03
> > To: MailScanner discussion
> > Subject: MailScanner --lint doesn't check
> Eicar virus
> >
> >
> > Hi,
> >
> > I used to be able to run:
> >
> > # MailScanner --lint
> > Checking version numbers...
> > Version number in MailScanner.conf (4.65.3) is
> correct.
> >
> > Your envelope_sender_header in
> spam.assassin.prefs.conf is
> >correct.
> >
> > Checking for SpamAssassin errors (if you use
> it)...
> > SpamAssassin temp dir = /tmp/SpamAssassin-Temp
> > SpamAssassin reported no errors.
> > MailScanner.conf says "Virus Scanners =
> clamavmodule"
> > Found these virus scanners installed:
> clamavmodule
> >
>
==================================================================
> >=========
> >
>
==================================================================
> >=========
> >
> > If any of your virus scanners (clamavmodule)
> > are not listed there, you should check that
> they are installed
> >correctly
> > and that MailScanner is finding them correctly
> via its
> >virus.scanners.conf.
> >
> > and see MailScanner test the Eicar virus
> between the "===" rows,
> >but most recently I see this doesn't work
> anymore.
> >
> > Is there something I can check to see why?
> >
> > When I run the wrapper:
> >
> > /usr/lib/MailScanner/clamav-wrapper /usr /tmp
> >
> > it finds clamav and works scans /tmp fine.
> >
> > Thanks.
> >
> > Michael.
> >
> >
> >
> >
> >________________________________
> >
> > Make the switch to the world's best email. Get
> the new Yahoo!7
> >Mail now
> >
> >u.yahoo.com/worldsbestmail/spankey/> .
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
>
>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read
> http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book
> off the website!
>
>
>
>
> ________________________________
>
> Make the switch to the world's best email. Get the
> new
> Yahoo!7 Mail now
>
<http://au.rd.yahoo.com/mail/taglines/default_all/mail/spankey/*http://a
> u.yahoo.com/worldsbestmail/spankey/> .
>
> > --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
>
http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read
> http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off
> the website!
>
Make the switch to the world's best email. Get the new Yahoo!7 Mail now. www.yahoo7.com.au/worldsbestemail
More information about the MailScanner
mailing list