f-secure-linux-security-7.03 doesn't work with MailScanner-4.77.10-1

Julian Field MailScanner at ecs.soton.ac.uk
Mon Jul 13 09:47:47 IST 2009


What does your /etc/MailScanner/virus.scanners.conf say for f-secure?
It should read like this if it's installed in the default location 
(/opt/f-secure):
f-secure  /usr/lib/MailScanner/f-secure-wrapper  /opt/f-secure/fssp

Then a 'MailScanner --lint' should show F-Secure detecting the EICAR 
test like this:
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Virus Scanning: F-Secure found virus EICAR_Test_File
./1/eicar.com: Infected: EICAR_Test_File [FSE]
Virus Scanning: F-Secure found virus EICAR-Test-File
./1/eicar.com: Infected: EICAR-Test-File [AVP]
Virus Scanning: F-Secure found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================

This is running with F-Secure 7.03, as you can see here:

[root at alegria MailScanner]# /opt/f-secure/fssp/bin/fsav --version
F-Secure Linux Security version 7.03 build 81803
Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved.

Portions:
   Copyright (c) 1991-2006 Kaspersky Labs, Ltd.

F-Secure Security Platform Command line client version:
     F-Secure Security Platform version 2.10  build 8171

F-Secure Security Platform Daemon version:
     F-Secure Security Platform version 2.10  build 8171

Database version: 2009-07-13_02

Scanner Engine versions:
     F-Secure Corporation Hydra engine version 4.0 build 9222
     F-Secure Corporation Hydra database version 2009-07-13

     Kaspersky Labs. AVP FPI Engine engine version 4.0 build 166
     Kaspersky Labs. AVP FPI Engine database version 2009-07-12



On 13/07/2009 09:10, Felix Schäfer wrote:
> Hello,
>
> I have a problem with most recent f-secure-linux-security-7.03 on my openSUSE 11.1 64-Bit Box with MailScanner-4.77.10-1.
>
> Mailscanner doesn't recognise a virus (output vom f-secure f-sav). Only my installed clam-av detects the eicar test virus.
> If nessecery I can send a licensed copy of f-secure-linux-security-7.03 for debugging. Or you can download it for test:
> http://download.f-secure.com/webclub/f-secure-linux-security-7.03.81803.tgz
>
> Since 2003 I use Mailscanner in my company and it is the best available Anti-Virus Scanner I ever seen.
> Thank you for your hard work, Julian.
>
> Please help me. Thank you.
>
> Felix
>
> More information:
> gateway:/home/fs/install # whereis fsav
> fsav: /usr/bin/fsav /usr/share/man/man1/fsav.1 /usr/share/man/man1/fsav.1.gz
>
> f-secure-wrapper output
> gateway:/usr/lib/MailScanner # /usr/lib/MailScanner/f-secure-wrapper /usr /home/fs/install/virus/
> F-Secure Security Platform version 2.10  build 8171
> Copyright (c) 1999-2008 F-Secure Corporation. All Rights Reserved.
>
> Scan started at Mon Jul 13 09:21:01 2009
> Database version: 2009-07-13_02
>
> /home/fs/install/virus/eicar.com: Infected: EICAR_Test_File [FSE]
> /home/fs/install/virus/eicar.com: Infected: EICAR-Test-File [AVP]
> [/home/fs/install/virus/Worm.Sober.zip] Word-Text_packedList.exe: Infected: Email-Worm.Win32.Sober.u [AVP]
>
> Scan ended at Mon Jul 13 09:21:01 2009
> 2 files scanned
> 2 files infected
>
> /var/log/mail
> Jul 13 08:54:19 gateway update.virus.scanners: Found f-secure installed
> Jul 13 08:54:19 gateway update.virus.scanners: Running autoupdate for f-secure
> Jul 13 08:54:25 gateway update.virus.scanners: Found generic installed
> Jul 13 08:54:25 gateway update.virus.scanners: Running autoupdate for generic
> ...
> Jul 13 09:55:35 gateway postfix/smtpd[22156]: disconnect from web.heise.de[193.99.144.71]
> Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Found 2 messages waiting
> Jul 13 09:55:36 gateway MailScanner[21958]: New Batch: Scanning 1 messages, 2826 bytes
> Jul 13 09:55:38 gateway MailScanner[21983]: Filename Checks: Windows/DOS Executable (33E9D8A07D.AF1DF eicar.com)
> Jul 13 09:55:38 gateway MailScanner[21983]: Other Checks: Found 1 problems
> Jul 13 09:55:38 gateway MailScanner[21983]: Virus and Content Scanning: Starting
> Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF.message: Eicar-Test-Signature FOUND
> Jul 13 09:55:38 gateway clamd[14414]: /var/spool/MailScanner/incoming/21983/33E9D8A07D.AF1DF/neicar.com: Eicar-Test-Signature FOUND
> Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/
> Jul 13 09:55:38 gateway MailScanner[21983]: Clamd::INFECTED:: Eicar-Test-Signature :: ./33E9D8A07D.AF1DF/eicar.com
> Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Clamd found 2 infections
> Jul 13 09:55:38 gateway MailScanner[21983]: Infected message 33E9D8A07D.AF1DF came from 193.99.144.71
> Jul 13 09:55:38 gateway MailScanner[21983]: Virus Scanning: Found 2 viruses
> Jul 13 09:55:38 gateway MailScanner[21983]: Requeue: 33E9D8A07D.AF1DF to 861D68A0B7
> Jul 13 09:55:38 gateway postfix/qmgr[21937]: 861D68A0B7: from=<emailcheck-robot at ct.heise.de>, size=2152, nrcpt=1 (queue active)
> Jul 13 09:55:38 gateway MailScanner[21983]: Cleaned: Delivered 1 cleaned messages
> Jul 13 09:55:38 gateway postfix/smtp[22166]: certificate verification failed for exchangebs.firma.de[172.16.1.30]:25: untrusted is
> suer /DC=de/DC=firma/CN=firmaCA
> Jul 13 09:55:38 gateway MailScanner[21983]: Deleted 1 messages from processing-database
> Jul 13 09:55:38 gateway MailScanner[21983]: Logging message 33E9D8A07D.AF1DF to SQL
> Jul 13 09:55:38 gateway postfix/smtp[22166]: 861D68A0B7: to=<felix.schaefer at firma.biz>, relay=exchangebs.firma.de[172.16
> .1.30]:25, delay=5.6, delays=5.4/0/0.07/0.16, dsn=2.6.0, status=sent (250 2.6.0<E1MQGNo-0000Pb-Ub.octo11 at web.heise.de>  Queued mail for del
> ivery)
>
> Report in Mailwatch Web Interface:
> Report: Clamd: message was infected: Eicar-Test-Signature
> Clamd: eicar.com was infected: Eicar-Test-Signature MailScanner: Executable DOS/Windows programs are dangerous in email (eicar.com)
>
> No F-Secure Output?
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list