virus scan not available -> no virus check!

[Jules Field]

Frank,

I quite understand your point, and will see what I can do to address it. 
It's only really a problem with clamd and the other "daemon-based" virus 
scanners. I can't promise anything, but I will take a look.

What exactly would you like MailScanner to do in such a situation?

And, believe it or not, I can't remember anyone ever bringing this up 
before as a major point. Basically you currently have to be sure your 
daemons are running properly for it to work correctly.

If the daemon cannot be contacted, what would you prefer?
a) mail stops flowing
b) mail is all quarantined
c) something else

(a) is possibly preferred, I don't think (b) is a good idea. It needs to 
be some fairly simple action, I don't want to have to write reams of 
code for this unlikely event.

Jules.

On 27/11/2009 17:44, Frank Cusack wrote:
> On November 23, 2009 10:23:41 PM -0500 Rick Cooper 
> <rcooper at dwford.com> wrote:
>> ----Original Message----
>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Frank
>> Cusack Sent: Monday, November 23, 2009 8:56 PM To:
>> mailscanner at lists.mailscanner.info Subject: virus scan not available 
>> -> no
>> virus check!
>>
>>> I can't believe this is the default behavior.  Also, I can't find a
>>> way to change it.
>>>
>>>> Nov 23 18:09:05 localhost MailScanner[26984]: Virus and Content
>>>> Scanning: Starting Nov 23 18:09:05 localhost MailScanner[26997]: 
>>>> Cannot
>>>> find Socket (/tmp/clamd.socket) Exiting!
>>>
>>> and then mailscanner goes on to bless the email as "clean".  Note that
>>> I do not have virus scanning set to "auto", I have it explicitly set
>>> to "clamd".
>>>
>>> My preferred behavior would be to send an email to postmaster (or
>>> whoever) at some regular interval if the virus scanner is not 
>>> available.
>>> Anyway to get some semblance of that configured?
>>>
>>> -frank
>>
>> As with any Daemon including MailScanner it's self you should have some
>> kind of monitoring installed that restarts and notifies you that is not
>> MailScanner's job.
>
> Of course.  I run Solaris 10 and using the built-in svcadm facility
> this all works automatically.
>
>> Should it send an email for each issue with all
>> externals and internals to the postmaster?
>
> No.  As I suggested, it "should" send an email to postmaster at some
> regular interval.  Like swatch but built-in.
>
>> It did the best thing I could
>> think of, it issues an error to the log and moves on.
>
> That is my point.  The best thing it could think of is not very good.
> It is simply not checking viruses when this happens.
>
>> I guess it could shut MailScanner down I suppose.
>
> I don't know about shut down -- but at least mails should not be
> marked clean.  At the *very least*, the signature it puts on the bottom
> should say "this message was not checked for viruses" rather than
> saying it is clean.  That doesn't help me since I do not put a signature
> on clean messages, so I'm just noting it for completeness.
>
>> It would appear to be a configuration
>> error since clam doesn't remove it's socket if it crashes and 
>> MailScanner
>> --lint would have caught it. Monit, Webmin, PingClamd.pl in a cron job,
>> some kind of monitoring should be in place for both ClamD and 
>> MailScanner
>> it's self, and what ever mta you are using...
>
> Yup, as I said I do have the built-in OS facilities doing the monitoring.
> And through dependencies, it is capable of disabling MailScanner if clamd
> is not running.  But that doesn't put MailScanner in the clear.
>
> My point is that in a software of this type, ie security software, there
> can't be vague external requirements like "your monitoring system must
> stop the flow of mail".  MailScanner itself is in a position to know if
> the configured virus check actually occurred and should not be passing
> unchecked mail on, and at the very least should not be claiming that it
> was checked.
>
> Judging from the responses, it seems this is simply how MailScanner works
> today.  I am surprised that more folks here haven't jumped in to agree
> with me that this failure mode is not a good one.
>
> I strongly suggest that this be changed for future versions.
>
> -frank

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.