MailScanner --lint doesn't check Eicar virus - OK here!
Julian Field
MailScanner at ecs.soton.ac.uk
Fri Dec 7 09:41:04 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I don't really want to upgrade the copy of MIME-tools I use to the
latest, as it now requires Perl 5.8. This will royally screw many of the
Solaris users out there who only have Perl 5.6 available.
If anyone has any thoughts on this, I'm all ears...
Jules.
Michael Mansour wrote:
> Hi Phil,
>
> --- "Randal, Phil" <prandal at herefordshire.gov.uk>
> wrote:
>
>
>> I've finally tracked this down:
>>
>> yumming from the rpmforge repo had updated
>> perl-MIME-Tools to version
>> 5.424.
>>
>> Downgrading to 5.420 made things work:
>>
>
> I'm so glad you worked this one out. I also did the
> downgrade and discovered that the "block of wmv files"
> subject I'd sent through the list also was resolved
> ie. blocking attachments was now working again.
>
> What you, and anyone else using the perl-MIME-tools
> update would have found is, that you weren't actually
> blocking any attachments anymore, as for me this is
> what had happened.
>
> You see, the reason the Eicar virus test was failing
> was because the MIME checking was broken with the
> perl-MIME-tools update.
>
> I asked this question previously in the "block of wmv
> files" subject in the mailing list, asking/commenting
> that I couldn't be the only one experiencing this
> problem but others either didn't test it or were
> oblivious to the fact that attachment checking was no
> longer working for them.
>
> With this trouble-shooting and resolution (and letting
> us know about it here), you've hit at least 2 birds
> with the one stone.
>
> Good work mate and thanks again.
>
> Michael.
>
>
>> # MailScanner --lint
>> Trying to setlogsock(unix)
>> Checking version numbers...
>> Version number in MailScanner.conf (4.66.2) is
>> correct.
>>
>> Your envelope_sender_header in
>> spam.assassin.prefs.conf is correct.
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin reported no errors.
>> MailScanner.conf says "Virus Scanners = clamavmodule
>> mcafee"
>> Found these virus scanners installed: clamavmodule,
>> mcafee
>>
>>
> ========================================================================
>
>> ===
>>
>>
> ========================================================================
>
>> ===
>>
>> If any of your virus scanners (clamavmodule,mcafee)
>> are not listed there, you should check that they are
>> installed correctly
>> and that MailScanner is finding them correctly via
>> its
>> virus.scanners.conf.
>> [root at mx1 src]# rpm -Uvh
>> perl-MIME-tools-5.420-2.el5.rf.noarch.rpm
>> --force
>> Preparing...
>> ###########################################
>> [100%]
>> 1:perl-MIME-tools
>> ###########################################
>> [100%]
>> [root at mx1 src]# MailScanner --lint
>> Trying to setlogsock(unix)
>> Checking version numbers...
>> Version number in MailScanner.conf (4.66.2) is
>> correct.
>>
>> Your envelope_sender_header in
>> spam.assassin.prefs.conf is correct.
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin reported no errors.
>> MailScanner.conf says "Virus Scanners = clamavmodule
>> mcafee"
>> Found these virus scanners installed: clamavmodule,
>> mcafee
>>
>>
> ========================================================================
>
>> ===
>>
>>
> ========================================================================
>
>> ===
>> Virus Scanner test reports:
>> ClamAVModule said "eicar.com was infected:
>> Eicar-Test-Signature"
>> McAfee said "/1/eicar.com Found: EICAR test
>> file NOT a virus."
>>
>> If any of your virus scanners (clamavmodule,mcafee)
>> are not listed there, you should check that they are
>> installed correctly
>> and that MailScanner is finding them correctly via
>> its
>> virus.scanners.conf.
>>
>> This might have had other side-effects other than
>> the antivirus lint.
>>
>> Cheers,
>>
>> Phil
>> --
>> Phil Randal
>> Network Engineer
>> Herefordshire Council
>> Hereford, UK
>>
>>
>>
>> ________________________________
>>
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info]
>> On Behalf Of Randal,
>> Phil
>> Sent: 29 November 2007 13:58
>> To: MailScanner discussion
>> Subject: RE: MailScanner --lint doesn't check Eicar
>> virus - OK
>> here!
>>
>>
>> Michael,
>>
>> Which version of RedHat are you running?
>>
>> I see the problem on CentOS 5.0.
>>
>> It may a side effect of force-installing the perl
>> update.
>>
>> It would be nice to know what's actually happening
>> and what the
>> fix is, though. I'm not a perl guru so it's beyond
>> me.
>>
>> Cheers,
>>
>> Phil
>> --
>> Phil Randal
>> Network Engineer
>> Herefordshire Council
>> Hereford, UK
>>
>>
>>
>> ________________________________
>>
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info]
>> On Behalf Of Michael
>> Mansour
>> Sent: 29 November 2007 06:13
>> To: MailScanner discussion
>> Subject: RE: MailScanner --lint doesn't check
>> Eicar
>> virus - OK here!
>>
>>
>> Hi Quentin,
>>
>> Quentin Campbell <Q.G.Campbell at newcastle.ac.uk>
>> wrote:
>>
>> Phil
>>
>> It appears to work here. I get a different
>> result to you:
>>
>>
>> This is very strange then.
>>
>> This begs the question, in what cases does this
>> --lint
>> fail with the Eicar virus check?
>>
>> I'm pretty sure I saw the test pass with Eicar in
>> there
>> when I upgraded to MailScanner 4.65.3 (not certain
>> but pretty sure), but
>> only recently noticed that Eicar was no longer
>> there. This may have
>> happened after some perl errata upgrades on Linux
>> recently released by
>> Red Hat.
>>
>> I'm just interested to know now that if this is
>> the
>> case, then was would cause that symptom and is it
>> causing other problems
>> I can't see?
>>
>> Michael.
>>
>>
>> [root at cheviot4 MailScanner]# MailScanner --lint
>> Checking version numbers...
>> Version number in MailScanner.conf (4.65.3) is
>> correct.
>>
>> Your envelope_sender_header in
>> spam.assassin.prefs.conf is correct.
>>
>> Checking for SpamAssassin errors (if you use
>> it)...
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin reported no errors.
>> MailScanner.conf says "Virus Scanners =
>> clamavmodule mcafee"
>> Found these virus scanners installed:
>> clamavmodule, mcafee
>>
>>
>>
> ========================================================================
>
>> ===
>>
>>
>>
> ========================================================================
>
>> ===
>> Virus Scanner test reports:
>> ClamAVModule said "eicar.com was infected:
>> Eicar-Test-Signature"
>> McAfee said "/1/eicar.com Found: EICAR test file
>> NOT a virus."
>>
>> If any of your virus scanners
>> (clamavmodule,mcafee)
>> are not listed there, you should check that they
>> are installed correctly
>> and that MailScanner is finding them correctly
>> via its virus.scanners.conf.
>> [root at cheviot4 MailScanner]#
>>
>> Quentin
>> ---
>> PHONE: +44 191 222 8209 Information Systems
>> and Services (ISS),
>> Newcastle University,
>> Newcastle upon Tyne,
>> FAX: +44 191 222 8765 United Kingdom, NE1
>> 7RU.
>>
>>
>>
> ------------------------------------------------------------------------
>
>>
>>
>>
>>
>>
>> >-----Original Message-----
>> >From:
>> mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-
>> >bounces at lists.mailscanner.info] On Behalf Of
>> Randal, Phil
>> >Sent: 28 November 2007 14:10
>> >To: MailScanner discussion
>> >Subject: RE: MailScanner --lint doesn't check
>> Eicar virus
>> >
>> >Well spotted!
>> >
>> >Confirming that it is broken in 4.65.3
>> >
>> ># MailScanner --lint
>> >Checking version numbers...
>> >Version number in MailScanner.conf (4.65.3) is
>> correct.
>> >
>> >Your envelope_sender_header in
>> spam.assassin.prefs.conf is correct.
>> >
>> >Checking for SpamAssassin errors (if you use
>> it)...
>> >SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-
>> >Temp
>> >SpamAssassin reported no errors.
>> >MailScanner.conf says "Virus Scanners =
>> clamavmodule mcafee"
>> >Found these virus scanners installed:
>> clamavmodule, mcafee
>>
>>
>> =======================================================================
>> =
>> >===
>>
>>
>> =======================================================================
>> =
>> >===
>> >
>> >If any of your virus scanners
>> (clamavmodule,mcafee)
>> >are not listed there, you should check that
>> they are installed correctly
>> >and that MailScanner is finding them correctly
>> via its
>> >virus.scanners.conf.
>> >
>> >Cheers,
>> >
>> >Phil
>> >
>> >--
>> >Phil Randal
>> >Network Engineer
>> >Herefordshire Council
>> >Hereford, UK
>> >
>> >
>> >
>> >
>> >
>> >________________________________
>> >
>> > From:
>> mailscanner-bounces at lists.mailscanner.info
>>
>>
>>> [mailto:mailscanner-bounces at lists.mailscanner.info]
>>>
>> On Behalf Of
>> Michael
>> >Mansour
>> > Sent: 28 November 2007 14:03
>> > To: MailScanner discussion
>> > Subject: MailScanner --lint doesn't check
>> Eicar virus
>> >
>> >
>> > Hi,
>> >
>> > I used to be able to run:
>> >
>> > # MailScanner --lint
>> > Checking version numbers...
>> > Version number in MailScanner.conf (4.65.3) is
>> correct.
>> >
>> > Your envelope_sender_header in
>> spam.assassin.prefs.conf is
>> >correct.
>> >
>> > Checking for SpamAssassin errors (if you use
>> it)...
>> > SpamAssassin temp dir = /tmp/SpamAssassin-Temp
>> > SpamAssassin reported no errors.
>> > MailScanner.conf says "Virus Scanners =
>> clamavmodule"
>> > Found these virus scanners installed:
>> clamavmodule
>> >
>>
>>
> ==================================================================
>
>> >=========
>> >
>>
>>
> ==================================================================
>
>> >=========
>> >
>> > If any of your virus scanners (clamavmodule)
>> > are not listed there, you should check that
>> they are installed
>> >correctly
>> > and that MailScanner is finding them correctly
>> via its
>> >virus.scanners.conf.
>> >
>> > and see MailScanner test the Eicar virus
>> between the "===" rows,
>> >but most recently I see this doesn't work
>> anymore.
>> >
>> > Is there something I can check to see why?
>> >
>> > When I run the wrapper:
>> >
>> > /usr/lib/MailScanner/clamav-wrapper /usr /tmp
>> >
>> > it finds clamav and works scans /tmp fine.
>> >
>> > Thanks.
>> >
>> > Michael.
>> >
>> >
>> >
>> >
>> >________________________________
>> >
>> > Make the switch to the world's best email. Get
>> the new Yahoo!7
>> >Mail now
>> >
>> >u.yahoo.com/worldsbestmail/spankey/> .
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>>
>>
>>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>>
>> Before posting, read
>> http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book
>> off the website!
>>
>>
>>
>>
>> ________________________________
>>
>> Make the switch to the world's best email. Get the
>> new
>> Yahoo!7 Mail now
>>
>>
> <http://au.rd.yahoo.com/mail/taglines/default_all/mail/spankey/*http://a
>
>> u.yahoo.com/worldsbestmail/spankey/> .
>>
>>
>>> --
>>>
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>>
>>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>> Before posting, read
>> http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off
>> the website!
>>
>>
>
>
>
> Make the switch to the world's best email. Get the new Yahoo!7 Mail now. www.yahoo7.com.au/worldsbestemail
>
>
>
Jules
- --
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.7.0 (Build 867)
Comment: (pgp-secured)
Charset: ISO-8859-1
wj8DBQFHWRUxEfZZRxQVtlQRAr5IAKC+PXYGRpL7RX8ZVAtx7L1IDhCeFQCfe75d
OOgyOEq4Ozjk+dW1aY5FQNY=
=ulw6
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list