vba32 problem with MailScanner --lint

Nick Phillips nwp at nz.lemon-computing.com
Sun Aug 24 23:09:28 IST 2008 

Try piping the output through od. Might be different control  
characters in there.


Cheers,


Nick


On 25/08/2008, at 10:04 AM, Paul Hutchings wrote:

> Sure, the output *looks* the same though.  FWIW it can be downloaded  
> and
> run without a trial license key from the vba32 forum.
>
> Before:
>
> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com
> +---------------------------------------------------+
> |          VirusBlokAda (Console scanner)           |
> | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) |
> |        Copyright (c) 1993-2008 by VBA Ltd.        |
> +---------------------------------------------------+
> Key file not found
> Demo mode
> Command line options:
> -af+ -ha+ -rw+
> Ctrl-C will terminate program execution
>
> /tmp/eicar.com
> /tmp/eicar.com : infected EICAR-Test-File
>
> Directories       : 0       Files in archives:      Files on disks:
> Archives:                   -  total      : 0       - total       : 1
> - scanned         : 0       -  scanned    : 0       - scanned     : 1
> - contain viruses : 0       -  infected   : 0       - infected    : 1
> - deleted         : 0       -  suspicious : 0       - suspicious  : 0
>
> Startup    : 22:59:41 24-08-2008
> End        : 22:59:41 24-08-2008
> Total time : 00:00:00
>
> And after:
>
> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/eicar.com
> +---------------------------------------------------+
> |          VirusBlokAda (Console scanner)           |
> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) |
> |        Copyright (c) 1993-2008 by VBA Ltd.        |
> +---------------------------------------------------+
> Key file not found
> Demo mode
> Command line options:
> -af+ -ha+ -rw+
> Ctrl-C will terminate program execution
>
> /tmp/eicar.com
> /tmp/eicar.com : infected EICAR-Test-File
>
> Directories       : 0       Files in archives:      Files on disks:
> Archives:                   -  total      : 0       - total       : 1
> - scanned         : 0       -  scanned    : 0       - scanned     : 1
> - contain viruses : 0       -  infected   : 0       - infected    : 1
> - deleted         : 0       -  suspicious : 0       - suspicious  : 0
>
> Startup    : 23:01:35 24-08-2008
> End        : 23:01:36 24-08-2008
> Total time : 00:00:01
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of  
> Julian
> Field
> Sent: 24 August 2008 22:30
> To: MailScanner discussion
> Subject: Re: vba32 problem with MailScanner --lint
>
> Aha, thanks for that, it will help me diagnose the problem.
> It's really something I need to take a look at.
>
> Could you put a copy of eicar.com in /tmp and run something like this
> cd /tmp
> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl .
>
> And show me the output both before and after the "vbacl --update" has
> changed the version of vba32 you have installed. I need to handle both
> the old and the new outputs.
>
> Thanks.
>
> Paul Hutchings wrote:
>> Hmm something I noticed:
>>
>> When I first install Vba32 and run "MailScanner --lint" it's happy -
>> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is
> with
>> Vba32 Linux 3.12.6.1.
>>
>> After the first update via "vbacl --update" the issue starts with
>> MailScanner not picking up the output from vba32.
>>
>> At this point though, Vba32 has updated itself to Vba32 Linux
> 3.12.8.4.
>>
>> I guess something has changed in the Vba32 output with the later
> version
>> that MailScanner isn't aware of?
>>
>> Any ideas if this is something I can change or if it's something
> Julian
>> needs to change in the mailscanner code?
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Paul
>> Hutchings
>> Sent: 24 August 2008 13:08
>> To: MailScanner discussion
>> Subject: vba32 problem with MailScanner --lint
>>
>> Just trialling a few virus scanners, bitdefender, clamd, avg and  
>> vba32
>> are installed.
>>
>> Vba32 appears to be working if I test the wrapper:
>>
>> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe
>> +---------------------------------------------------+
>> |          VirusBlokAda (Console scanner)           |
>> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) |
>> |        Copyright (c) 1993-2008 by VBA Ltd.        |
>> +---------------------------------------------------+
>> User: VBA32 Testlizenz
>> License #000000324 Valid till 31.10.2008
>> Command line options:
>> -af+ -ha+ -rw+
>> Ctrl-C will terminate program execution
>>
>> /tmp/malware/29.exe
>> /tmp/malware/29.exe : infected Trojan- 
>> GameThief.Win32.OnLineGames.shie
>>
>> Directories       : 0       Files in archives:      Files on disks:
>> Archives:                   -  total      : 0       - total       : 1
>> - scanned         : 0       -  scanned    : 0       - scanned     : 1
>> - contain viruses : 0       -  infected   : 0       - infected    : 1
>> - deleted         : 0       -  suspicious : 0       - suspicious  : 0
>>
>> Startup    : 13:05:01 24-08-2008
>> End        : 13:05:01 24-08-2008
>> Total time : 00:00:00
>>
>> Yes when I run a lint with MailScanner it doesn't appear to output a
>> string that MailScanner can take as meaning an infection has been
> found:
>>
>> MailScanner --lint
>> Trying to setlogsock(unix)
>> Read 850 hostnames from the phishing whitelist
>> Read 5259 hostnames from the phishing blacklist
>> Checking version numbers...
>> Version installed (4.70.7) does not match version stated in
>> MailScanner.conf file (4.70.6), you may want to run
>> upgrade_MailScanner_conf
>> to ensure your MailScanner.conf file contains all the latest  
>> settings.
>>
>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>> MailScanner setting GID to  (89)
>> MailScanner setting UID to  (89)
>>
>> Checking for SpamAssassin errors (if you use it)...
>> SpamAssassin temporary working directory is
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> SpamAssassin temp dir =
>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>> Using SpamAssassin results cache
>> Connected to SpamAssassin cache database
>> SpamAssassin reported no errors.
>> Using locktype = posix
>> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32"
>> Found these virus scanners installed: bitdefender, clamd, vba32, avg
>>
> = 
> = 
> ======================================================================
>> ===
>> Virus and Content Scanning: Starting
>> Avg: Virus identified EICAR_Test in eicar.com
>> Virus Scanning: Avg found 1 infections
>> 1/eicar.com:infected: EICAR-Test-File (not a virus)
>> Virus Scanning: Bitdefender found 1 infections
>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>> Virus Scanning: Clamd found 1 infections
>> Virus Scanning: vba32 found 1 infections
>> Infected message 1 came from 10.1.1.1
>> Virus Scanning: Found 1 viruses
>>
> = 
> = 
> ======================================================================
>> ===
>> Virus Scanner test reports:
>> Avg said "Found virus EICAR_Test in file eicar.com"
>> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file
>> eicar.com"
>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>>
>> If any of your virus scanners (bitdefender,clamd,vba32,avg)
>> are not listed there, you should check that they are installed
> correctly
>> and that MailScanner is finding them correctly via its
>> virus.scanners.conf.
>>
>> Any suggestions please?
>>
>>
>
> Jules
>
> -- 
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
>
> MailScanner customisation, or any advanced system administration help?
> Contact me at Jules at Jules.FM
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> PGP public key: http://www.jules.fm/julesfm.asc
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
>
> -- 
> MIRA Ltd
>
> Watling Street, Nuneaton, Warwickshire, CV10 0TU, England.
>
> Registered in England and Wales No. 402570
> VAT Registration  GB 114 5409 96
>
> The contents of this e-mail are confidential and are solely for the  
> use of the intended recipient.
> If you receive this e-mail in error, please delete it and notify us  
> either by e-mail, telephone or fax.
> You should not copy, forward or otherwise disclose the content of  
> the e-mail as this is prohibited.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list