eTrust 8.1 and MailScanner

Glenn Steen glenn.steen at gmail.com
Thu Dec 20 12:07:22 GMT 2007 

On 20/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com> wrote:
> > On 19/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com> wrote:
> >> > On 19/12/2007, Jens Ahlin <mailing_lists+mailscanner at caleotech.com>
> >> wrote:
> > (snip)
> >> > Hm, normally you don't use the "disinfect" options unless explicitly
> >> > setting "Deliver Disinfected Files = yes"... Do you have that?
> >> > Unless you do, the relevant thing would be to test what output you get
> >> > from
> >> > inocmd32 -nex -arc -mod reviewer -spm h /tmp/eicar_test_file
> >> > ... might be that the defaults have changed?
> >> >
> >>
> >> Thanks for that pointer.
> >> I noticed this myself just before your post. So I tried :
> >> inocmd32 -nex -arc -mod reviewer -spm h /tmp/eicar_test_file
> >> File /tmp/eicar_test_file is infected by virus: the EICAR test string
> >>
> >> Total Files Scanned:             1
> >> Total Viruses Found:             1
> >> Total Infected Files Found:      1
> >> Scan Mode:                       Reviewer
> >>
> >> *** End Of Summary ***
> >>
> >> Still the same result :(
> >>
> > (snip)
> > .... but .... isn't that the string we're after? If you run the
> > wrapper on that file, what happens then? Try first something like
> > /usr/lib/MailScanner/etrust-wrapper /opt/eTrustAntivirus -IsItInstalled
> > ... if that fails, well, then something is up with the
> > installation/the assumptions about the installation (in the wrapper).
> > You should of course use the third column in virus.scanners.conf (for
> > the etrust line) as the first parameter:-). Then perhaps try
> > /usr/lib/MailScanner/etrust-wrapper /opt/eTrustAntivirus -nex -arc
> > -mod reviewer -spm h /tmp/eicar_test_file
> > ... and see what happens. If you had to amend virus.scanners.conf,
> > check it with a finetoothed comb for errors;-).
> >
>
> This gets even more fishy...
> Running this works:
> /usr/lib/MailScanner/etrust-wrapper /opt/etrust -nex -arc -mod reviewer
> -spm h /tmp/eicar_test_file
> File /tmp/eicar_test_file is infected by virus: the EICAR test string
>
> Total Files Scanned:             1
> Total Viruses Found:             1
> Total Infected Files Found:      1
> Scan Mode:                       Reviewer
>
> *** End Of Summary ***
>
> Yes I have edited the virus.scanners.conf file since I don't have etrust
> installed at the same location as default. The finetoothed comb did not
> get cought...
>
> I also dug out the old bitdefender that I disabled (CPU hog) a while ago.
> bitdefender finds the eicar on command line but not when called from
> mailscanner. I have change MailScanner.conf to only run one scanner at the
> time. For me only clamav works.
> I have added debug printouts in SweepViruses.pm just before the scanner is
> executed and when the result is processed. (exec "$sweepcommand $instdir
> $voptions $subdir";) A programmer cannot get his finger out of the cookie
> jar :) Sadly though perl isn't my strong language :(
>
> The command that is executed are "/usr/lib/MailScanner/etrust-wrapper
> /opt/etrust -nex -arc -mod reviewer -spm h ."
>
> Running this command on command line work of course. (Started in a
> directory containg a eicar test file)
>
> /usr/lib/MailScanner/etrust-wrapper /opt/etrust -nex -arc -mod reviewer
> -spm h .
> File /root/eicar/./eicar_test_file is infected by virus: the EICAR test
> string
>
> Total Files Scanned:             1
> Total Viruses Found:             1
> Total Infected Files Found:      1
> Scan Mode:                       Reviewer
>
> *** End Of Summary ***
>
>
> For me it looks like any scanner treated as a commercial scanner fails
> while clamavmodule works...
>
> Maybe it's time to start over with a fresh install of MailScanner... The
> config files has been upgraded for many years now... I am running
> MailScanner 4.65.3 on a fully updated CentOS 3 system.
>
>
>         Jens
>
Might be "te solution"...:-).
Before doing that though... What MTA do you use? If Postfix, then
check as the user you run it as... Might be something
environment-dependant...

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se

More information about the MailScanner mailing list