eTrust 8.1 and MailScanner

Glenn Steen glenn.steen at gmail.com
Wed Dec 19 14:32:54 GMT 2007 

On 19/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com> wrote:
> Hi all,
>
> I have updated eTrust to version 8.1 (latest). Has anybody got this
> working with MailScanner ?
>
> I have run with my setup for several years without problem, MailScanner,
> sendmail, eTrust, clamavmodule, spamassassin ...
>
> After the update of eTrust only clamav reports infections. I have tested
> with eicar test file on command line and then both clamscan and inocmd32
> reports the file as infected. Looking in SweepViruses.pm i found that
> inocm32 is called with the following parameters:
> -nex -arc -mod reviewer -spm h -act cure -sca mf
>
> And then searches for the string "is infected by virus:" in
> ProcessInoculateOutput.
>
> Running
> inocmd32 -nex -arc -mod reviewer -spm h -act cure -sca mf
> /tmp/eicar_test_file
>
Hm, normally you don't use the "disinfect" options unless explicitly
setting "Deliver Disinfected Files = yes"... Do you have that?
Unless you do, the relevant thing would be to test what output you get from
inocmd32 -nex -arc -mod reviewer -spm h /tmp/eicar_test_file
... might be that the defaults have changed?

> gives the following output:
> File /tmp/eicar_test_file cannot be cured of virus: the EICAR test string,
> and has been moved to
> /opt/etrust/ino/Move/b1a8c152-7b48-0001-cd13-6947522606ca.AVB
>
> Total Files Scanned:             1
> Total Viruses Found:             1
> Total Infected Files Found:      0
> Total Cured Files:               0
> Total Moved Files:               1
> Scan Mode:                       Reviewer
>
> *** End Of Summary ***
>
> If I change the -act parameter so that we don't try to cure the file but
> report I get the output:
> inocmd32 -nex -arc -mod reviewer -spm h -act report -sca mf
> /tmp/eicar_test_file
> File /tmp/eicar_test_file is infected by virus: the EICAR test string
>
> Total Files Scanned:             1
> Total Viruses Found:             1
> Total Infected Files Found:      1
> Scan Mode:                       Reviewer
>
> *** End Of Summary ***
>
> Now the output includes the magic string "is infected by virus:". I have
> tried to change the parameter in SweepViruses.pm to -act report instead of
> -act cure but MailScanner will not report that eTrust find the virus in
> the file anyway. I can see that MailScanner calls inocmd32 (running top).
>
> Any idea of what I'm doing wrong ?
>
> Also the etrust-autoupdate fails since InoDist isn't available in 8.1. I
> can live with that since I update agains local update server anyways...
>
> Any possibility for eTrust 8.1 support in MailScanner out of the box Jules
> ? Can I help in any way ?
>
> Sorry for the long post.
>
> Regards,
>
>       Jens
>

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list