MailScanner 4.78.17 doesn't detect viruses, have checked tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)

Jules Field MailScanner at ecs.soton.ac.uk
Tue Jan 12 19:00:15 GMT 2010


Any chance you could give me remote ssh root access to your server so I 
can debug it for you and see what output you're getting from clamav and 
why it isn't parsing it properly?
I've got a reputation to protect, so I'm not going to do anything bad to 
you!

If it takes less than a couple of hours, I'll do it for free too. :)

Contact me by email if you're interested.

Jules.

On 12/01/2010 18:05, Sunny Forro wrote:
> I've rerun the ./install.sh script - again to no effect. However, I
> discovered that MailScanner is properly parsing mcafee's output but not
> clamavs. When I lint with my virus scanners set to "clamav mcafee" it
> picks up Eicar from mcafee, but nothing from clamav. If I set it to
> "clamav" it doesn't pick up Eicar at all.
>
> Side Note: I have a paid version of McAfee that I have used until
> recently, when I discovered that the latest release of mcafee for BSD
> still relies on an outdated compatibility library (compat3x) that
> doesn't properly install and isn't included in any release since
> FreeBSD5. It also spikes my CPU to 100% while scanning mail and slows
> the whole process to a crawl. Running clamav only with a previous
> release of MailScanner produces more reliable results because when  my
> CPU hits 100% (using mcafee and clamav) mail begins to flow through
> completely untouched.
>
> Sunny
>
>
>    
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Jules Field
>> Sent: Tuesday, January 12, 2010 12:27 PM
>> To: MailScanner discussion
>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have checked
>> tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)
>>
>> And if you re-run the ./install.sh from MailScanner, just to be
>>      
> doubly-
>    
>> sure?
>>
>> On 12/01/2010 16:49, Sunny Forro wrote:
>>      
>>> Rich, thanks for the reply.
>>>
>>> I've gone through and checked the versions of all the perl-tars
>>> against what's installed (and reinstalled some of them to make sure
>>> the versions match). Everything that I've checked matches the
>>>        
>> expected
>>      
>>> versions for this release of MailScanner.
>>>
>>> Sunny
>>>
>>> *From:* mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of
>>> *Richard Lynch
>>> *Sent:* Tuesday, January 12, 2010 11:35 AM
>>> *To:* MailScanner discussion
>>> *Subject:* Re: MailScanner 4.78.17 doesn't detect viruses, have
>>> checked tmp permissions and no symlink, reinstalled clamav (worked
>>>        
> in
>    
>>> 4.77.10)
>>>
>>> Sunny Forro wrote:
>>>
>>>
>>> -----Original Message-----
>>> From:mailscanner-bounces at lists.mailscanner.info
>>>        
> <mailto:mailscanner-
>    
>> bounces at lists.mailscanner.info>
>>      
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>>        
>> Julian
>>      
>>> Field
>>> Sent: Tuesday, January 12, 2010 11:02 AM
>>> To: MailScanner discussion
>>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>        
> checked
>    
>>> tmp permissions and no symlink, reinstalled clamav (worked in
>>>        
>> 4.77.10)
>>      
>>> Check your virus.scanners.conf file to ensure it is pointing at the
>>> correct place for clamav.
>>> If "which clamscan" reports /usr/local/bin/clamscan then the clamav
>>>        
>> line
>>      
>>> in virus.scanners.conf should end in "/usr/local" and if it reports
>>> /usr/bin/clamscan then the line should end in "/usr".
>>>
>>> That would be the first place to look. Then "MailScanner --lint"
>>>        
>> should
>>      
>>> detect the EICAR test pattern successfully. Once "MailScanner
>>>        
> --lint"
>    
>>> works, you're there.
>>>
>>> Jules.
>>>
>>>
>>> ------ Outlook sucks -----------
>>>
>>> Jules, thanks for the reply!
>>> I checked "which clamscan" and yes it does point to
>>> /usr/local/bin/clamscan. The clamav line in virus.scanners.conf does
>>>        
>> end
>>      
>>> in /usr/local. Still no lint under 4.78.17, but works fine under
>>> pervious versions on the same box. Using clamav-wrapper to do a scan
>>>        
>> of
>>      
>>> /tmp gives me sensible output however.
>>>
>>> Sunny
>>>
>>>
>>>
>>> On 12/01/2010 15:45, Sunny Forro wrote:
>>>
>>>
>>>      Hello,
>>>
>>>
>>>
>>>      I've just upgraded to 4.78.17 and now mailscanner doesn't report
>>>
>>>      viruses detected by clamav in production or lint. I've scanned
>>>        
>> the
>>      
>>>      /tmp directory with clamav-wrapper and get sensible clam output.
>>>        
>> /tmp
>>      
>>>      is not symlinked. I've reinstalled clamav, and manually
>>>        
>> reinstalled
>>      
>>>      all the per-tars from the install directory. I've even tried
>>>
>>>      downgrading MIME-tools to 5.420 (as found on another post), but
>>>        
>> to no
>>      
>>>      effect (and since reinstalled from perl-tar to 5.427). I've
>>>        
>> removed
>>      
>>>      and reinstalled Perl5.8.9, also to no effect. I'm running
>>>        
>> MS4.78.17,
>>      
>>>      SA3.2.5, Clam0.95.3, sendmail 8.14.3 on FreeBSD7.0p9, w/
>>>        
>> mailwatch
>>      
>>>      1.0.4, apache13, mysql5077, php5, virtualized through VMWare
>>>        
>> VSphere
>>      
>>>      4.0. I've switched back to 4.77.10 as this properly identifies
>>>        
>> virii.
>>      
>>>      I'm out of ideas - Any suggestions? Is there something else I
>>>        
>> need to
>>      
>>>      check, or something else I missed?
>>>
>>>
>>>
>>>      Any help would be greatly appreciated.
>>>
>>>
>>>
>>>      Sunny Forro
>>>
>>>
>>>
>>>      P.S. Thanks a million to Julian Field for a fantastic solution
>>>        
> to
>    
>> the
>>      
>>>      deluge of spam we had grown accustomed to.
>>>
>>>
>>>
>>>
>>>
>>>
>>> Jules
>>>
>>>
>>>
>>> This may be totally unrelated but I had a similar problem like this
>>>        
>> at
>>      
>>> one point. It turned out that the perl I was running had version
>>>        
> 0.16
>    
>>> of perl-File-Temp builtin and the version that came packaged with
>>> MailScanner was 0.19. When perl was updated v0.19 was removed. I
>>>        
>> ended
>>      
>>> up having to do a rpm --force on the version that came packaged with
>>> MailScanner.
>>>
>>> This is all from vague memories and I may not have the scenario
>>> exactly right. It took me a while to find it though. Check the
>>>        
>> version
>>      
>>> of File::Temp that you are using. I know that once I got the correct
>>> version installed MailScanner --lint started producing expected
>>> results with my virus scanners.
>>>
>>> Rich
>>>
>>>
>>> --
>>>
>>> "Of all tyrannies, a tyranny exercised for the good of its victims
>>>        
>> may
>>      
>>> be the most oppressive. It may be better to live under robber barons
>>> than omnipotent moral busybodies. The robber baron's cruelty may
>>> sometimes sleep, his cupidity may at some point be satiated; but
>>>        
>> those
>>      
>>> who torment us for our own good will torment us without end, for
>>>        
> they
>    
>> do
>>      
>>> so with the approval of their own conscience."
>>>
>>>     -- C.S. Lewis
>>>
>>>        
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>      
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list