MailScanner 4.78.17 doesn't detect viruses, have checked tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)

Sunny Forro sunny.forro at compcoind.com
Tue Jan 12 19:29:09 GMT 2010


Jules,
I would be happy to give you ssh to this box. Should I send details to
the mailscanner (at) ecs (dot) soton (dot) ac (dot) uk address?
Thanks,
Sunny Forro


> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Jules Field
> Sent: Tuesday, January 12, 2010 2:00 PM
> To: MailScanner discussion
> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have checked
> tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)
> 
> Any chance you could give me remote ssh root access to your server so
I
> can debug it for you and see what output you're getting from clamav
and
> why it isn't parsing it properly?
> I've got a reputation to protect, so I'm not going to do anything bad
> to
> you!
> 
> If it takes less than a couple of hours, I'll do it for free too. :)
> 
> Contact me by email if you're interested.
> 
> Jules.
> 
> On 12/01/2010 18:05, Sunny Forro wrote:
> > I've rerun the ./install.sh script - again to no effect. However, I
> > discovered that MailScanner is properly parsing mcafee's output but
> not
> > clamavs. When I lint with my virus scanners set to "clamav mcafee"
it
> > picks up Eicar from mcafee, but nothing from clamav. If I set it to
> > "clamav" it doesn't pick up Eicar at all.
> >
> > Side Note: I have a paid version of McAfee that I have used until
> > recently, when I discovered that the latest release of mcafee for
BSD
> > still relies on an outdated compatibility library (compat3x) that
> > doesn't properly install and isn't included in any release since
> > FreeBSD5. It also spikes my CPU to 100% while scanning mail and
slows
> > the whole process to a crawl. Running clamav only with a previous
> > release of MailScanner produces more reliable results because when
> my
> > CPU hits 100% (using mcafee and clamav) mail begins to flow through
> > completely untouched.
> >
> > Sunny
> >
> >
> >
> >> -----Original Message-----
> >> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-
> >> bounces at lists.mailscanner.info] On Behalf Of Jules Field
> >> Sent: Tuesday, January 12, 2010 12:27 PM
> >> To: MailScanner discussion
> >> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
> checked
> >> tmp permissions and no symlink, reinstalled clamav (worked in
> 4.77.10)
> >>
> >> And if you re-run the ./install.sh from MailScanner, just to be
> >>
> > doubly-
> >
> >> sure?
> >>
> >> On 12/01/2010 16:49, Sunny Forro wrote:
> >>
> >>> Rich, thanks for the reply.
> >>>
> >>> I've gone through and checked the versions of all the perl-tars
> >>> against what's installed (and reinstalled some of them to make
sure
> >>> the versions match). Everything that I've checked matches the
> >>>
> >> expected
> >>
> >>> versions for this release of MailScanner.
> >>>
> >>> Sunny
> >>>
> >>> *From:* mailscanner-bounces at lists.mailscanner.info
> >>> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of
> >>> *Richard Lynch
> >>> *Sent:* Tuesday, January 12, 2010 11:35 AM
> >>> *To:* MailScanner discussion
> >>> *Subject:* Re: MailScanner 4.78.17 doesn't detect viruses, have
> >>> checked tmp permissions and no symlink, reinstalled clamav (worked
> >>>
> > in
> >
> >>> 4.77.10)
> >>>
> >>> Sunny Forro wrote:
> >>>
> >>>
> >>> -----Original Message-----
> >>> From:mailscanner-bounces at lists.mailscanner.info
> >>>
> > <mailto:mailscanner-
> >
> >> bounces at lists.mailscanner.info>
> >>
> >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> >>>
> >> Julian
> >>
> >>> Field
> >>> Sent: Tuesday, January 12, 2010 11:02 AM
> >>> To: MailScanner discussion
> >>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
> >>>
> > checked
> >
> >>> tmp permissions and no symlink, reinstalled clamav (worked in
> >>>
> >> 4.77.10)
> >>
> >>> Check your virus.scanners.conf file to ensure it is pointing at
the
> >>> correct place for clamav.
> >>> If "which clamscan" reports /usr/local/bin/clamscan then the
clamav
> >>>
> >> line
> >>
> >>> in virus.scanners.conf should end in "/usr/local" and if it
reports
> >>> /usr/bin/clamscan then the line should end in "/usr".
> >>>
> >>> That would be the first place to look. Then "MailScanner --lint"
> >>>
> >> should
> >>
> >>> detect the EICAR test pattern successfully. Once "MailScanner
> >>>
> > --lint"
> >
> >>> works, you're there.
> >>>
> >>> Jules.
> >>>
> >>>
> >>> ------ Outlook sucks -----------
> >>>
> >>> Jules, thanks for the reply!
> >>> I checked "which clamscan" and yes it does point to
> >>> /usr/local/bin/clamscan. The clamav line in virus.scanners.conf
> does
> >>>
> >> end
> >>
> >>> in /usr/local. Still no lint under 4.78.17, but works fine under
> >>> pervious versions on the same box. Using clamav-wrapper to do a
> scan
> >>>
> >> of
> >>
> >>> /tmp gives me sensible output however.
> >>>
> >>> Sunny
> >>>
> >>>
> >>>
> >>> On 12/01/2010 15:45, Sunny Forro wrote:
> >>>
> >>>
> >>>      Hello,
> >>>
> >>>
> >>>
> >>>      I've just upgraded to 4.78.17 and now mailscanner doesn't
> report
> >>>
> >>>      viruses detected by clamav in production or lint. I've
scanned
> >>>
> >> the
> >>
> >>>      /tmp directory with clamav-wrapper and get sensible clam
> output.
> >>>
> >> /tmp
> >>
> >>>      is not symlinked. I've reinstalled clamav, and manually
> >>>
> >> reinstalled
> >>
> >>>      all the per-tars from the install directory. I've even tried
> >>>
> >>>      downgrading MIME-tools to 5.420 (as found on another post),
> but
> >>>
> >> to no
> >>
> >>>      effect (and since reinstalled from perl-tar to 5.427). I've
> >>>
> >> removed
> >>
> >>>      and reinstalled Perl5.8.9, also to no effect. I'm running
> >>>
> >> MS4.78.17,
> >>
> >>>      SA3.2.5, Clam0.95.3, sendmail 8.14.3 on FreeBSD7.0p9, w/
> >>>
> >> mailwatch
> >>
> >>>      1.0.4, apache13, mysql5077, php5, virtualized through VMWare
> >>>
> >> VSphere
> >>
> >>>      4.0. I've switched back to 4.77.10 as this properly
identifies
> >>>
> >> virii.
> >>
> >>>      I'm out of ideas - Any suggestions? Is there something else I
> >>>
> >> need to
> >>
> >>>      check, or something else I missed?
> >>>
> >>>
> >>>
> >>>      Any help would be greatly appreciated.
> >>>
> >>>
> >>>
> >>>      Sunny Forro
> >>>
> >>>
> >>>
> >>>      P.S. Thanks a million to Julian Field for a fantastic
solution
> >>>
> > to
> >
> >> the
> >>
> >>>      deluge of spam we had grown accustomed to.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>> Jules
> >>>
> >>>
> >>>
> >>> This may be totally unrelated but I had a similar problem like
this
> >>>
> >> at
> >>
> >>> one point. It turned out that the perl I was running had version
> >>>
> > 0.16
> >
> >>> of perl-File-Temp builtin and the version that came packaged with
> >>> MailScanner was 0.19. When perl was updated v0.19 was removed. I
> >>>
> >> ended
> >>
> >>> up having to do a rpm --force on the version that came packaged
> with
> >>> MailScanner.
> >>>
> >>> This is all from vague memories and I may not have the scenario
> >>> exactly right. It took me a while to find it though. Check the
> >>>
> >> version
> >>
> >>> of File::Temp that you are using. I know that once I got the
> correct
> >>> version installed MailScanner --lint started producing expected
> >>> results with my virus scanners.
> >>>
> >>> Rich
> >>>
> >>>
> >>> --
> >>>
> >>> "Of all tyrannies, a tyranny exercised for the good of its victims
> >>>
> >> may
> >>
> >>> be the most oppressive. It may be better to live under robber
> barons
> >>> than omnipotent moral busybodies. The robber baron's cruelty may
> >>> sometimes sleep, his cupidity may at some point be satiated; but
> >>>
> >> those
> >>
> >>> who torment us for our own good will torment us without end, for
> >>>
> > they
> >
> >> do
> >>
> >>> so with the approval of their own conscience."
> >>>
> >>>     -- C.S. Lewis
> >>>
> >>>
> >> Jules
> >>
> >> --
> >> Julian Field MEng CITP CEng
> >> www.MailScanner.info
> >> Buy the MailScanner book at www.MailScanner.info/store
> >>
> >> Need help customising MailScanner?
> >> Contact me!
> >> Need help fixing or optimising your systems?
> >> Contact me!
> >> Need help getting you started solving new requirements from your
> boss?
> >> Contact me!
> >>
> >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> >>
> >>
> >> --
> >> This message has been scanned for viruses and
> >> dangerous content by MailScanner, and is
> >> believed to be clean.
> >>
> >> --
> >> MailScanner mailing list
> >> mailscanner at lists.mailscanner.info
> >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >>
> >> Before posting, read http://wiki.mailscanner.info/posting
> >>
> >> Support MailScanner development - buy the book off the website!
> >>
> >
> >
> 
> Jules
> 
> --
> Julian Field MEng CITP CEng
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> 
> Need help customising MailScanner?
> Contact me!
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> 
> 
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list