Symantec Scan Engine

Alexander Nance anance at SYSSRC.com
Wed Feb 27 18:27:48 GMT 2008 

Doing a little more debugging I added a couple of print to file
debugging lines to SweepViruses.pm and found that it never gets to the
sub ProcessSymScanEngineOutput.


Second item of note is the chomp section is doing a split on '.' instead
of './', this will throw off the variables going forward since anything
with an attachment would also contain a '.'



-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Alexander Nance
Sent: Tuesday, February 26, 2008 6:08 PM
To: MailScanner discussion
Subject: RE: Symantec Scan Engine

BTW in an effort to debug a little more I added a >>/tmp/log.txt to the
symscanengine-wrapper, below is a sample of the output


./1JU8mP-0005Pi-B1/eicar.txt  1
./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s):
        File Name:      eicar.txt
        Virus Name:     EICAR Test String
        Virus ID:       11101
        Disposition:    Infected
./1JU8mP-0005Pi-B1.header  1
./1JU8mP-0005Pi-B1.header had 1 infection(s):
        File Name:      1JU8mP-0005Pi-B1.header
        Virus Name:     Malformed container violation
        Virus ID:       -8
        Disposition:    Infected

    Virus scan process began : Tue Feb 26 18:00:12 2008
Virus scan process completed : Tue Feb 26 18:00:12 2008

        Defs Version = 20080226.002
 Commandline Scanner = 4.2.2.8

         Total Bytes = 577 (Bytes 577.0000)
             Elapsed = 0.0810
           Scan Rate =  6.96 (Kbytes/sec)

      Files Excluded = 0
       Files Scanned = 2
 Directories Scanned = 2
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 2

No error was found during the scan


Infected file(s) list:
./1JU8mP-0005Pi-B1/eicar.txt  infected
./1JU8mP-0005Pi-B1/eicar.txt had 1 infection(s):
        File Name:      eicar.txt
        Virus Name:     EICAR Test String
        Virus ID:       11101
        Disposition:    Infected
./1JU8mP-0005Pi-B1.header  infected
./1JU8mP-0005Pi-B1.header had 1 infection(s):

        File Name:      1JU8mP-0005Pi-B1.header
        Virus Name:     Malformed container violation
        Virus ID:       -8
        Disposition:    Infected
./1JU8nT-0005Qx-Dm/log.txt  0
./1JU8nT-0005Qx-Dm.header  1
./1JU8nT-0005Qx-Dm.header had 1 infection(s):
        File Name:      1JU8nT-0005Qx-Dm.header
        Virus Name:     Malformed container violation
        Virus ID:       -8
        Disposition:    Infected

    Virus scan process began : Tue Feb 26 18:01:20 2008
Virus scan process completed : Tue Feb 26 18:01:20 2008

        Defs Version = 20080226.002
 Commandline Scanner = 4.2.2.8

         Total Bytes = 1802 (Kbytes 1.7598)
             Elapsed = 0.0810
           Scan Rate =  21.73 (Kbytes/sec)

      Files Excluded = 0
       Files Scanned = 2
 Directories Scanned = 2
Directories Excluded = 0
       Files Skipped = 0
    Files Scan Error = 0
      Files Infected = 1

No error was found during the scan


Infected file(s) list:
./1JU8nT-0005Qx-Dm.header  infected
./1JU8nT-0005Qx-Dm.header had 1 infection(s):
        File Name:      1JU8nT-0005Qx-Dm.header
        Virus Name:     Malformed container violation
        Virus ID:       -8
        Disposition:    Infected

Mail log shows the following:

Feb 26 18:00:12 scanner4 MailScanner[20815]: Virus and Content Scanning:
Starting 
Feb 26 18:00:12 scanner4 MailScanner[20815]: Uninfected: Delivered 1
messages 
Feb 26 18:00:12 scanner4 MailScanner[20815]: Logging message
1JU8mP-0005Pi-B1 to SQL 
Feb 26 18:00:15 scanner4 MailScanner[19515]: 1JU8mP-0005Pi-B1: Logged to
MailWatch SQL 
Feb 26 18:01:18 scanner4 MailScanner[19874]: New Batch: Scanning 1
messages, 2458 bytes 
Feb 26 18:01:20 scanner4 MailScanner[19874]: Virus and Content Scanning:
Starting 
Feb 26 18:01:20 scanner4 MailScanner[19874]: Uninfected: Delivered 1
messages 
Feb 26 18:01:20 scanner4 MailScanner[19874]: Logging message
1JU8nT-0005Qx-Dm to SQL 
Feb 26 18:01:20 scanner4 MailScanner[19515]: 1JU8nT-0005Qx-Dm: Logged to
MailWatch SQL





-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Field
Sent: Tuesday, February 26, 2008 4:31 PM
To: MailScanner discussion
Subject: Re: Symantec Scan Engine

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To save me lots of time, can you give me the direct URL to it please (or

else the click route if there's no static URL).

Alexander Nance wrote:
> I was not the one that did the initial request, it is however
available
> for a 30 day trial directly from Symantec.
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
Julian
> Field
> Sent: Tuesday, February 26, 2008 1:39 PM
> To: MailScanner discussion
> Subject: Re: Symantec Scan Engine
>
>
> * PGP Bad Signature, Signed by an unverified key: 02/26/08 at 18:38:39
>
> Did you ever send me a copy of the software to develop from?
>
> Alexander Nance wrote:
>   
>> It replies that the scanengine is discovered properly.  It is not
>>     
> having
>   
>> a problem sending the file through to be processed, it is just
>>     
> ignoring
>   
>> the result response.
>>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Ugo
>> Bellavance
>> Sent: Tuesday, February 26, 2008 11:46 AM
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: Symantec Scan Engine
>>
>> Alexander Nance wrote:
>>   
>>     
>>> I found this post in the archives but never saw a resolution:
>>>
>>> Scan Engine reports that is sees the tests as viruses but
MailScanner
>>>       
>
>   
>>> simply passes the message through.
>>>     
>>>       
>> What does MailScanner --lint say?
>>
>> Ugo
>>
>>   
>>     
>
> Jules
>
>   

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.0 (Build 2158)
Comment: Use Thunderbird Enigmail to verify this message
Charset: ISO-8859-1

wj8DBQFHxIUvEfZZRxQVtlQRAs+KAKD8yOoRKiAOGXVhtwQ2r/dz8iue8ACgl11u
cZVd5wEmWbzAZQ7koRjMc0E=
=S5S7
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website! 
-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list