MailScanner not detecting Trog/Agent-IBF - assistance needed.

Erik Bloodaxe E.Bloodaxe at gold.ac.uk
Tue Oct 28 13:06:45 GMT 2008 

Erik Bloodaxe wrote:
> Can anyone assist with a problem with my MailScanner/Sophos set up:
>
> E-mails with a zip file are getting through mail scanner with zip files
> containing Trog-Agent-IBF.  The Sophos on the mail system will detect
> that a zip file infected with Trog/Agent-IBF.  Other viruses are being
> detected and removed by MailScanner and sophos.
>
> Debugging only says that
>
> In Debugging mode, not forking...
> Queues are "/home/exim/spool/port.26/input"
> Ignore errors about failing to find EOCD signature
> format error: can't find EOCD signature
> at /opt/MailScanner/bin/MailScanner line 820
> format error: can't find EOCD signature
> at /opt/MailScanner/bin/MailScanner line 820
> Stopping now as you are debugging me.
>
> The messages are moved from the incomming queue to the outgoing one,
> but, the virus infected zip file is still there and there are no
> mailscanner headers added.
>
> CAn any one assist?
>
> Erik
>
>
To correct my self. Mail Scanner headers are being added but these are 
showing the infected message to be clean.

The syslog outpit is as follows:
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: MailScanner E-Mail 
Virus Scanner version 4.57.6 starting...
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Read 853 hostnames 
from the phishing whitelist
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: WARNING: You are 
trying to use the SpamAssassin cache but your DBI and/or DBD::SQLite 
Perl modules are not properly installed!
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: lock.pl sees Config  
LockType =  posix
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: lock.pl sees 
have_module =  0
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Using locktype = posix
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Creating hardcoded 
struct_flock subroutine for linux (Linux-type)
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: New Batch: Scanning 1 
messages, 93315 bytes
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: Created attachment 
dirs for 1 messages
Oct 28 12:58:02 Scanner-host1 MailScanner[18068]: RBL Checks: returned 256
Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: SpamAssassin returned 0
Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Spam Checks: Found 1 
spam messages
Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Spam Checks completed 
at 269166 bytes per second
Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Virus and Content 
Scanning: Starting
Oct 28 12:58:03 Scanner-host1 MailScanner[18068]: Commencing scanning by 
sophos...
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Completed scanning by 
sophos
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Virus Scanning 
completed at 31236 bytes per second
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: About to deliver 1 
messages
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Uninfected: Delivered 
1 messages
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Batch completed at 
27899 bytes per second (93315 / 3)
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: Batch (1 message) 
processed in 3.34 seconds
Oct 28 12:58:06 Scanner-host1 MailScanner[18068]: MailScanner child 
dying of old age

and the versions are :

Running on
Linux neptune.gold.ac.uk 2.6.18-8.1.10.el5 #1 SMP Thu Aug 30 20:43:28 
EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
This is Red Hat Enterprise Linux Server release 5 (Tikanga)
This is Perl version 5.008008 (5.8.8)

This is MailScanner version 4.57.6
Module versions are:
1.00    AnyDBM_File
1.23    Archive::Zip
1.04    Carp
1.119   Convert::BinHex
1.00    DirHandle
1.05    Fcntl
2.74    File::Basename
2.09    File::Copy
2.01    FileHandle
1.08    File::Path
0.19    File::Temp
0.92    Filesys::Df
1.35    HTML::Entities
3.55    HTML::Parser
2.37    HTML::TokeParser
1.22    IO
1.13    IO::File
1.13    IO::Pipe
1.77    Mail::Header
3.07    MIME::Base64
5.425   MIME::Decoder
5.425   MIME::Decoder::UU
5.425   MIME::Head
5.425   MIME::Parser
3.07    MIME::QuotedPrint
5.425   MIME::Tools
0.11    Net::CIDR
1.09    POSIX
1.78    Socket
1.4     Sys::Hostname::Long
0.13    Sys::Syslog
1.86    Time::HiRes
1.02    Time::localtime

Optional module versions are:

0.17    Convert::TNEF
1.814   DB_File
missing DBD::SQLite
1.52    DBI
1.14    Digest
1.01    Digest::HMAC
2.36    Digest::MD5
2.11    Digest::SHA1
missing Inline
missing Mail::ClamAV
3.001009        Mail::SpamAssassin
missing Mail::SPF::Query
missing Net::CIDR::Lite
1.25    Net::IP
0.59    Net::DNS
missing Net::LDAP
missing Parse::RecDescent
missing SAVI
2.56    Test::Harness
0.62    Test::Simple
1.95    Text::Balanced
1.35    URI

Any help appreciated.

Erik

More information about the MailScanner mailing list