vba32 problem with MailScanner --lint

Julian Field MailScanner at ecs.soton.ac.uk
Sun Aug 24 22:30:00 IST 2008 

Aha, thanks for that, it will help me diagnose the problem.
It's really something I need to take a look at.

Could you put a copy of eicar.com in /tmp and run something like this
cd /tmp
/usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl .

And show me the output both before and after the "vbacl --update" has 
changed the version of vba32 you have installed. I need to handle both 
the old and the new outputs.

Thanks.

Paul Hutchings wrote:
> Hmm something I noticed:
>
> When I first install Vba32 and run "MailScanner --lint" it's happy -
> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is with
> Vba32 Linux 3.12.6.1.
>
> After the first update via "vbacl --update" the issue starts with
> MailScanner not picking up the output from vba32.
>
> At this point though, Vba32 has updated itself to Vba32 Linux 3.12.8.4.
>
> I guess something has changed in the Vba32 output with the later version
> that MailScanner isn't aware of?
>
> Any ideas if this is something I can change or if it's something Julian
> needs to change in the mailscanner code?
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Paul
> Hutchings
> Sent: 24 August 2008 13:08
> To: MailScanner discussion
> Subject: vba32 problem with MailScanner --lint
>
> Just trialling a few virus scanners, bitdefender, clamd, avg and vba32
> are installed.
>
> Vba32 appears to be working if I test the wrapper:
>
> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe
> +---------------------------------------------------+
> |          VirusBlokAda (Console scanner)           |
> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) |
> |        Copyright (c) 1993-2008 by VBA Ltd.        |
> +---------------------------------------------------+
> User: VBA32 Testlizenz
> License #000000324 Valid till 31.10.2008
> Command line options:
> -af+ -ha+ -rw+
> Ctrl-C will terminate program execution
>
> /tmp/malware/29.exe
> /tmp/malware/29.exe : infected Trojan-GameThief.Win32.OnLineGames.shie
>
> Directories       : 0       Files in archives:      Files on disks:
> Archives:                   -  total      : 0       - total       : 1
> - scanned         : 0       -  scanned    : 0       - scanned     : 1
> - contain viruses : 0       -  infected   : 0       - infected    : 1
> - deleted         : 0       -  suspicious : 0       - suspicious  : 0
>
> Startup    : 13:05:01 24-08-2008
> End        : 13:05:01 24-08-2008
> Total time : 00:00:00
>
> Yes when I run a lint with MailScanner it doesn't appear to output a
> string that MailScanner can take as meaning an infection has been found:
>
> MailScanner --lint
> Trying to setlogsock(unix)
> Read 850 hostnames from the phishing whitelist
> Read 5259 hostnames from the phishing blacklist
> Checking version numbers...
> Version installed (4.70.7) does not match version stated in
> MailScanner.conf file (4.70.6), you may want to run
> upgrade_MailScanner_conf
> to ensure your MailScanner.conf file contains all the latest settings.
>
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to  (89)
> MailScanner setting UID to  (89)
>
> Checking for SpamAssassin errors (if you use it)...
> SpamAssassin temporary working directory is
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> SpamAssassin temp dir =
> /var/spool/MailScanner/incoming/SpamAssassin-Temp
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> SpamAssassin reported no errors.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32"
> Found these virus scanners installed: bitdefender, clamd, vba32, avg
> ========================================================================
> ===
> Virus and Content Scanning: Starting
> Avg: Virus identified EICAR_Test in eicar.com
> Virus Scanning: Avg found 1 infections
> 1/eicar.com:infected: EICAR-Test-File (not a virus)
> Virus Scanning: Bitdefender found 1 infections
> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 1 infections
> Virus Scanning: vba32 found 1 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 1 viruses
> ========================================================================
> ===
> Virus Scanner test reports:
> Avg said "Found virus EICAR_Test in file eicar.com"
> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file
> eicar.com"
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>
> If any of your virus scanners (bitdefender,clamd,vba32,avg)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its
> virus.scanners.conf.
>
> Any suggestions please?
>
>   

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list