MailScanner 4.78.17 doesn't detect viruses,
have checked tmp permissions and no symlink,
reinstalled clamav (worked in 4.77.10)
Alex Neuman
alex at rtpty.com
Tue Jan 12 19:45:02 GMT 2010
It would be, in a way, an honor to welcome JKF into your box... :-D
It's like getting a visit from your own personal rock star! ;-)
On Jan 12, 2010, at 2:29 PM, Sunny Forro wrote:
> Jules,
> I would be happy to give you ssh to this box. Should I send details to
> the mailscanner (at) ecs (dot) soton (dot) ac (dot) uk address?
> Thanks,
> Sunny Forro
>
>
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Jules Field
>> Sent: Tuesday, January 12, 2010 2:00 PM
>> To: MailScanner discussion
>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have checked
>> tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)
>>
>> Any chance you could give me remote ssh root access to your server so
> I
>> can debug it for you and see what output you're getting from clamav
> and
>> why it isn't parsing it properly?
>> I've got a reputation to protect, so I'm not going to do anything bad
>> to
>> you!
>>
>> If it takes less than a couple of hours, I'll do it for free too. :)
>>
>> Contact me by email if you're interested.
>>
>> Jules.
>>
>> On 12/01/2010 18:05, Sunny Forro wrote:
>>> I've rerun the ./install.sh script - again to no effect. However, I
>>> discovered that MailScanner is properly parsing mcafee's output but
>> not
>>> clamavs. When I lint with my virus scanners set to "clamav mcafee"
> it
>>> picks up Eicar from mcafee, but nothing from clamav. If I set it to
>>> "clamav" it doesn't pick up Eicar at all.
>>>
>>> Side Note: I have a paid version of McAfee that I have used until
>>> recently, when I discovered that the latest release of mcafee for
> BSD
>>> still relies on an outdated compatibility library (compat3x) that
>>> doesn't properly install and isn't included in any release since
>>> FreeBSD5. It also spikes my CPU to 100% while scanning mail and
> slows
>>> the whole process to a crawl. Running clamav only with a previous
>>> release of MailScanner produces more reliable results because when
>> my
>>> CPU hits 100% (using mcafee and clamav) mail begins to flow through
>>> completely untouched.
>>>
>>> Sunny
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-
>>>> bounces at lists.mailscanner.info] On Behalf Of Jules Field
>>>> Sent: Tuesday, January 12, 2010 12:27 PM
>>>> To: MailScanner discussion
>>>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
>> checked
>>>> tmp permissions and no symlink, reinstalled clamav (worked in
>> 4.77.10)
>>>>
>>>> And if you re-run the ./install.sh from MailScanner, just to be
>>>>
>>> doubly-
>>>
>>>> sure?
>>>>
>>>> On 12/01/2010 16:49, Sunny Forro wrote:
>>>>
>>>>> Rich, thanks for the reply.
>>>>>
>>>>> I've gone through and checked the versions of all the perl-tars
>>>>> against what's installed (and reinstalled some of them to make
> sure
>>>>> the versions match). Everything that I've checked matches the
>>>>>
>>>> expected
>>>>
>>>>> versions for this release of MailScanner.
>>>>>
>>>>> Sunny
>>>>>
>>>>> *From:* mailscanner-bounces at lists.mailscanner.info
>>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of
>>>>> *Richard Lynch
>>>>> *Sent:* Tuesday, January 12, 2010 11:35 AM
>>>>> *To:* MailScanner discussion
>>>>> *Subject:* Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>>> checked tmp permissions and no symlink, reinstalled clamav (worked
>>>>>
>>> in
>>>
>>>>> 4.77.10)
>>>>>
>>>>> Sunny Forro wrote:
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From:mailscanner-bounces at lists.mailscanner.info
>>>>>
>>> <mailto:mailscanner-
>>>
>>>> bounces at lists.mailscanner.info>
>>>>
>>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>>>>
>>>> Julian
>>>>
>>>>> Field
>>>>> Sent: Tuesday, January 12, 2010 11:02 AM
>>>>> To: MailScanner discussion
>>>>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>>>
>>> checked
>>>
>>>>> tmp permissions and no symlink, reinstalled clamav (worked in
>>>>>
>>>> 4.77.10)
>>>>
>>>>> Check your virus.scanners.conf file to ensure it is pointing at
> the
>>>>> correct place for clamav.
>>>>> If "which clamscan" reports /usr/local/bin/clamscan then the
> clamav
>>>>>
>>>> line
>>>>
>>>>> in virus.scanners.conf should end in "/usr/local" and if it
> reports
>>>>> /usr/bin/clamscan then the line should end in "/usr".
>>>>>
>>>>> That would be the first place to look. Then "MailScanner --lint"
>>>>>
>>>> should
>>>>
>>>>> detect the EICAR test pattern successfully. Once "MailScanner
>>>>>
>>> --lint"
>>>
>>>>> works, you're there.
>>>>>
>>>>> Jules.
>>>>>
>>>>>
>>>>> ------ Outlook sucks -----------
>>>>>
>>>>> Jules, thanks for the reply!
>>>>> I checked "which clamscan" and yes it does point to
>>>>> /usr/local/bin/clamscan. The clamav line in virus.scanners.conf
>> does
>>>>>
>>>> end
>>>>
>>>>> in /usr/local. Still no lint under 4.78.17, but works fine under
>>>>> pervious versions on the same box. Using clamav-wrapper to do a
>> scan
>>>>>
>>>> of
>>>>
>>>>> /tmp gives me sensible output however.
>>>>>
>>>>> Sunny
>>>>>
>>>>>
>>>>>
>>>>> On 12/01/2010 15:45, Sunny Forro wrote:
>>>>>
>>>>>
>>>>> Hello,
>>>>>
>>>>>
>>>>>
>>>>> I've just upgraded to 4.78.17 and now mailscanner doesn't
>> report
>>>>>
>>>>> viruses detected by clamav in production or lint. I've
> scanned
>>>>>
>>>> the
>>>>
>>>>> /tmp directory with clamav-wrapper and get sensible clam
>> output.
>>>>>
>>>> /tmp
>>>>
>>>>> is not symlinked. I've reinstalled clamav, and manually
>>>>>
>>>> reinstalled
>>>>
>>>>> all the per-tars from the install directory. I've even tried
>>>>>
>>>>> downgrading MIME-tools to 5.420 (as found on another post),
>> but
>>>>>
>>>> to no
>>>>
>>>>> effect (and since reinstalled from perl-tar to 5.427). I've
>>>>>
>>>> removed
>>>>
>>>>> and reinstalled Perl5.8.9, also to no effect. I'm running
>>>>>
>>>> MS4.78.17,
>>>>
>>>>> SA3.2.5, Clam0.95.3, sendmail 8.14.3 on FreeBSD7.0p9, w/
>>>>>
>>>> mailwatch
>>>>
>>>>> 1.0.4, apache13, mysql5077, php5, virtualized through VMWare
>>>>>
>>>> VSphere
>>>>
>>>>> 4.0. I've switched back to 4.77.10 as this properly
> identifies
>>>>>
>>>> virii.
>>>>
>>>>> I'm out of ideas - Any suggestions? Is there something else I
>>>>>
>>>> need to
>>>>
>>>>> check, or something else I missed?
>>>>>
>>>>>
>>>>>
>>>>> Any help would be greatly appreciated.
>>>>>
>>>>>
>>>>>
>>>>> Sunny Forro
>>>>>
>>>>>
>>>>>
>>>>> P.S. Thanks a million to Julian Field for a fantastic
> solution
>>>>>
>>> to
>>>
>>>> the
>>>>
>>>>> deluge of spam we had grown accustomed to.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Jules
>>>>>
>>>>>
>>>>>
>>>>> This may be totally unrelated but I had a similar problem like
> this
>>>>>
>>>> at
>>>>
>>>>> one point. It turned out that the perl I was running had version
>>>>>
>>> 0.16
>>>
>>>>> of perl-File-Temp builtin and the version that came packaged with
>>>>> MailScanner was 0.19. When perl was updated v0.19 was removed. I
>>>>>
>>>> ended
>>>>
>>>>> up having to do a rpm --force on the version that came packaged
>> with
>>>>> MailScanner.
>>>>>
>>>>> This is all from vague memories and I may not have the scenario
>>>>> exactly right. It took me a while to find it though. Check the
>>>>>
>>>> version
>>>>
>>>>> of File::Temp that you are using. I know that once I got the
>> correct
>>>>> version installed MailScanner --lint started producing expected
>>>>> results with my virus scanners.
>>>>>
>>>>> Rich
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> "Of all tyrannies, a tyranny exercised for the good of its victims
>>>>>
>>>> may
>>>>
>>>>> be the most oppressive. It may be better to live under robber
>> barons
>>>>> than omnipotent moral busybodies. The robber baron's cruelty may
>>>>> sometimes sleep, his cupidity may at some point be satiated; but
>>>>>
>>>> those
>>>>
>>>>> who torment us for our own good will torment us without end, for
>>>>>
>>> they
>>>
>>>> do
>>>>
>>>>> so with the approval of their own conscience."
>>>>>
>>>>> -- C.S. Lewis
>>>>>
>>>>>
>>>> Jules
>>>>
>>>> --
>>>> Julian Field MEng CITP CEng
>>>> www.MailScanner.info
>>>> Buy the MailScanner book at www.MailScanner.info/store
>>>>
>>>> Need help customising MailScanner?
>>>> Contact me!
>>>> Need help fixing or optimising your systems?
>>>> Contact me!
>>>> Need help getting you started solving new requirements from your
>> boss?
>>>> Contact me!
>>>>
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>>>
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>
>>>
>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list