eTrust 8.1 and MailScanner

Thu Dec 20 08:20:57 GMT 2007

> On 19/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com> wrote:
>> > On 19/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com>
>> wrote:
> (snip)
>> > Hm, normally you don't use the "disinfect" options unless explicitly
>> > setting "Deliver Disinfected Files = yes"... Do you have that?
>> > Unless you do, the relevant thing would be to test what output you get
>> > from
>> > inocmd32 -nex -arc -mod reviewer -spm h /tmp/eicar_test_file
>> > ... might be that the defaults have changed?
>> >
>>
>> Thanks for that pointer.
>> I noticed this myself just before your post. So I tried :
>> inocmd32 -nex -arc -mod reviewer -spm h /tmp/eicar_test_file
>> File /tmp/eicar_test_file is infected by virus: the EICAR test string
>>
>> Total Files Scanned:             1
>> Total Viruses Found:             1
>> Total Infected Files Found:      1
>> Scan Mode:                       Reviewer
>>
>> *** End Of Summary ***
>>
>> Still the same result :(
>>
> (snip)
> .... but .... isn't that the string we're after? If you run the
> wrapper on that file, what happens then? Try first something like
> /usr/lib/MailScanner/etrust-wrapper /opt/eTrustAntivirus -IsItInstalled
> ... if that fails, well, then something is up with the
> installation/the assumptions about the installation (in the wrapper).
> You should of course use the third column in virus.scanners.conf (for
> the etrust line) as the first parameter:-). Then perhaps try
> /usr/lib/MailScanner/etrust-wrapper /opt/eTrustAntivirus -nex -arc
> -mod reviewer -spm h /tmp/eicar_test_file
> ... and see what happens. If you had to amend virus.scanners.conf,
> check it with a finetoothed comb for errors;-).
>

This gets even more fishy...
Running this works:
/usr/lib/MailScanner/etrust-wrapper /opt/etrust -nex -arc -mod reviewer
-spm h /tmp/eicar_test_file
File /tmp/eicar_test_file is infected by virus: the EICAR test string

Total Files Scanned:             1
Total Viruses Found:             1
Total Infected Files Found:      1
Scan Mode:                       Reviewer

*** End Of Summary ***

Yes I have edited the virus.scanners.conf file since I don't have etrust
installed at the same location as default. The finetoothed comb did not
get cought...

I also dug out the old bitdefender that I disabled (CPU hog) a while ago.
bitdefender finds the eicar on command line but not when called from
mailscanner. I have change MailScanner.conf to only run one scanner at the
time. For me only clamav works.
I have added debug printouts in SweepViruses.pm just before the scanner is
executed and when the result is processed. (exec "$sweepcommand $instdir
$voptions $subdir";) A programmer cannot get his finger out of the cookie
jar :) Sadly though perl isn't my strong language :(

The command that is executed are "/usr/lib/MailScanner/etrust-wrapper
/opt/etrust -nex -arc -mod reviewer -spm h ."

Running this command on command line work of course. (Started in a
directory containg a eicar test file)

/usr/lib/MailScanner/etrust-wrapper /opt/etrust -nex -arc -mod reviewer
-spm h .
File /root/eicar/./eicar_test_file is infected by virus: the EICAR test
string

Total Files Scanned:             1
Total Viruses Found:             1
Total Infected Files Found:      1
Scan Mode:                       Reviewer

*** End Of Summary ***

For me it looks like any scanner treated as a commercial scanner fails
while clamavmodule works...

Maybe it's time to start over with a fresh install of MailScanner... The
config files has been upgraded for many years now... I am running
MailScanner 4.65.3 on a fully updated CentOS 3 system.

        Jens