MailScanner 4.78.17 doesn't detect viruses, have checked tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)

Sunny Forro sunny.forro at compcoind.com
Wed Jan 13 15:58:17 GMT 2010


I've done some more testing on this issue. I've installed 4.79.5 and
tested - same result(no clamav output detected in while linting or
running). I then copied over the Message.pm and MessageBatch.pm scripts
from 4.77.10 to 4.79.5 - same result. (I know, no "new" info, but at
least that's eliminated). My curiosity was to see if the inverted
spam/virus virus/spam scanning order was possibly part of the issue, but
it appears not. This is very strange. Any ideas, anyone?
Sunny



> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Sunny Forro
> Sent: Tuesday, January 12, 2010 2:29 PM
> To: MailScanner discussion
> Subject: RE: MailScanner 4.78.17 doesn't detect viruses,have checked
> tmp permissions and no symlink,reinstalled clamav (worked in 4.77.10)
> 
> Jules,
> I would be happy to give you ssh to this box. Should I send details to
> the mailscanner (at) ecs (dot) soton (dot) ac (dot) uk address?
> Thanks,
> Sunny Forro
> 
> 
> > -----Original Message-----
> > From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-
> > bounces at lists.mailscanner.info] On Behalf Of Jules Field
> > Sent: Tuesday, January 12, 2010 2:00 PM
> > To: MailScanner discussion
> > Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
checked
> > tmp permissions and no symlink, reinstalled clamav (worked in
> 4.77.10)
> >
> > Any chance you could give me remote ssh root access to your server
so
> I
> > can debug it for you and see what output you're getting from clamav
> and
> > why it isn't parsing it properly?
> > I've got a reputation to protect, so I'm not going to do anything
bad
> > to
> > you!
> >
> > If it takes less than a couple of hours, I'll do it for free too. :)
> >
> > Contact me by email if you're interested.
> >
> > Jules.
> >
> > On 12/01/2010 18:05, Sunny Forro wrote:
> > > I've rerun the ./install.sh script - again to no effect. However,
I
> > > discovered that MailScanner is properly parsing mcafee's output
but
> > not
> > > clamavs. When I lint with my virus scanners set to "clamav mcafee"
> it
> > > picks up Eicar from mcafee, but nothing from clamav. If I set it
to
> > > "clamav" it doesn't pick up Eicar at all.
> > >
> > > Side Note: I have a paid version of McAfee that I have used until
> > > recently, when I discovered that the latest release of mcafee for
> BSD
> > > still relies on an outdated compatibility library (compat3x) that
> > > doesn't properly install and isn't included in any release since
> > > FreeBSD5. It also spikes my CPU to 100% while scanning mail and
> slows
> > > the whole process to a crawl. Running clamav only with a previous
> > > release of MailScanner produces more reliable results because when
> > my
> > > CPU hits 100% (using mcafee and clamav) mail begins to flow
through
> > > completely untouched.
> > >
> > > Sunny
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: mailscanner-bounces at lists.mailscanner.info
> > [mailto:mailscanner-
> > >> bounces at lists.mailscanner.info] On Behalf Of Jules Field
> > >> Sent: Tuesday, January 12, 2010 12:27 PM
> > >> To: MailScanner discussion
> > >> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
> > checked
> > >> tmp permissions and no symlink, reinstalled clamav (worked in
> > 4.77.10)
> > >>
> > >> And if you re-run the ./install.sh from MailScanner, just to be
> > >>
> > > doubly-
> > >
> > >> sure?
> > >>
> > >> On 12/01/2010 16:49, Sunny Forro wrote:
> > >>
> > >>> Rich, thanks for the reply.
> > >>>
> > >>> I've gone through and checked the versions of all the perl-tars
> > >>> against what's installed (and reinstalled some of them to make
> sure
> > >>> the versions match). Everything that I've checked matches the
> > >>>
> > >> expected
> > >>
> > >>> versions for this release of MailScanner.
> > >>>
> > >>> Sunny
> > >>>
> > >>> *From:* mailscanner-bounces at lists.mailscanner.info
> > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf
Of
> > >>> *Richard Lynch
> > >>> *Sent:* Tuesday, January 12, 2010 11:35 AM
> > >>> *To:* MailScanner discussion
> > >>> *Subject:* Re: MailScanner 4.78.17 doesn't detect viruses, have
> > >>> checked tmp permissions and no symlink, reinstalled clamav
> (worked
> > >>>
> > > in
> > >
> > >>> 4.77.10)
> > >>>
> > >>> Sunny Forro wrote:
> > >>>
> > >>>
> > >>> -----Original Message-----
> > >>> From:mailscanner-bounces at lists.mailscanner.info
> > >>>
> > > <mailto:mailscanner-
> > >
> > >> bounces at lists.mailscanner.info>
> > >>
> > >>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
> > >>>
> > >> Julian
> > >>
> > >>> Field
> > >>> Sent: Tuesday, January 12, 2010 11:02 AM
> > >>> To: MailScanner discussion
> > >>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
> > >>>
> > > checked
> > >
> > >>> tmp permissions and no symlink, reinstalled clamav (worked in
> > >>>
> > >> 4.77.10)
> > >>
> > >>> Check your virus.scanners.conf file to ensure it is pointing at
> the
> > >>> correct place for clamav.
> > >>> If "which clamscan" reports /usr/local/bin/clamscan then the
> clamav
> > >>>
> > >> line
> > >>
> > >>> in virus.scanners.conf should end in "/usr/local" and if it
> reports
> > >>> /usr/bin/clamscan then the line should end in "/usr".
> > >>>
> > >>> That would be the first place to look. Then "MailScanner --lint"
> > >>>
> > >> should
> > >>
> > >>> detect the EICAR test pattern successfully. Once "MailScanner
> > >>>
> > > --lint"
> > >
> > >>> works, you're there.
> > >>>
> > >>> Jules.
> > >>>
> > >>>
> > >>> ------ Outlook sucks -----------
> > >>>
> > >>> Jules, thanks for the reply!
> > >>> I checked "which clamscan" and yes it does point to
> > >>> /usr/local/bin/clamscan. The clamav line in virus.scanners.conf
> > does
> > >>>
> > >> end
> > >>
> > >>> in /usr/local. Still no lint under 4.78.17, but works fine under
> > >>> pervious versions on the same box. Using clamav-wrapper to do a
> > scan
> > >>>
> > >> of
> > >>
> > >>> /tmp gives me sensible output however.
> > >>>
> > >>> Sunny
> > >>>
> > >>>
> > >>>
> > >>> On 12/01/2010 15:45, Sunny Forro wrote:
> > >>>
> > >>>
> > >>>      Hello,
> > >>>
> > >>>
> > >>>
> > >>>      I've just upgraded to 4.78.17 and now mailscanner doesn't
> > report
> > >>>
> > >>>      viruses detected by clamav in production or lint. I've
> scanned
> > >>>
> > >> the
> > >>
> > >>>      /tmp directory with clamav-wrapper and get sensible clam
> > output.
> > >>>
> > >> /tmp
> > >>
> > >>>      is not symlinked. I've reinstalled clamav, and manually
> > >>>
> > >> reinstalled
> > >>
> > >>>      all the per-tars from the install directory. I've even
tried
> > >>>
> > >>>      downgrading MIME-tools to 5.420 (as found on another post),
> > but
> > >>>
> > >> to no
> > >>
> > >>>      effect (and since reinstalled from perl-tar to 5.427). I've
> > >>>
> > >> removed
> > >>
> > >>>      and reinstalled Perl5.8.9, also to no effect. I'm running
> > >>>
> > >> MS4.78.17,
> > >>
> > >>>      SA3.2.5, Clam0.95.3, sendmail 8.14.3 on FreeBSD7.0p9, w/
> > >>>
> > >> mailwatch
> > >>
> > >>>      1.0.4, apache13, mysql5077, php5, virtualized through
VMWare
> > >>>
> > >> VSphere
> > >>
> > >>>      4.0. I've switched back to 4.77.10 as this properly
> identifies
> > >>>
> > >> virii.
> > >>
> > >>>      I'm out of ideas - Any suggestions? Is there something else
> I
> > >>>
> > >> need to
> > >>
> > >>>      check, or something else I missed?
> > >>>
> > >>>
> > >>>
> > >>>      Any help would be greatly appreciated.
> > >>>
> > >>>
> > >>>
> > >>>      Sunny Forro
> > >>>
> > >>>
> > >>>
> > >>>      P.S. Thanks a million to Julian Field for a fantastic
> solution
> > >>>
> > > to
> > >
> > >> the
> > >>
> > >>>      deluge of spam we had grown accustomed to.
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>>
> > >>> Jules
> > >>>
> > >>>
> > >>>
> > >>> This may be totally unrelated but I had a similar problem like
> this
> > >>>
> > >> at
> > >>
> > >>> one point. It turned out that the perl I was running had version
> > >>>
> > > 0.16
> > >
> > >>> of perl-File-Temp builtin and the version that came packaged
with
> > >>> MailScanner was 0.19. When perl was updated v0.19 was removed. I
> > >>>
> > >> ended
> > >>
> > >>> up having to do a rpm --force on the version that came packaged
> > with
> > >>> MailScanner.
> > >>>
> > >>> This is all from vague memories and I may not have the scenario
> > >>> exactly right. It took me a while to find it though. Check the
> > >>>
> > >> version
> > >>
> > >>> of File::Temp that you are using. I know that once I got the
> > correct
> > >>> version installed MailScanner --lint started producing expected
> > >>> results with my virus scanners.
> > >>>
> > >>> Rich
> > >>>
> > >>>
> > >>> --
> > >>>
> > >>> "Of all tyrannies, a tyranny exercised for the good of its
> victims
> > >>>
> > >> may
> > >>
> > >>> be the most oppressive. It may be better to live under robber
> > barons
> > >>> than omnipotent moral busybodies. The robber baron's cruelty may
> > >>> sometimes sleep, his cupidity may at some point be satiated; but
> > >>>
> > >> those
> > >>
> > >>> who torment us for our own good will torment us without end, for
> > >>>
> > > they
> > >
> > >> do
> > >>
> > >>> so with the approval of their own conscience."
> > >>>
> > >>>     -- C.S. Lewis
> > >>>
> > >>>
> > >> Jules
> > >>
> > >> --
> > >> Julian Field MEng CITP CEng
> > >> www.MailScanner.info
> > >> Buy the MailScanner book at www.MailScanner.info/store
> > >>
> > >> Need help customising MailScanner?
> > >> Contact me!
> > >> Need help fixing or optimising your systems?
> > >> Contact me!
> > >> Need help getting you started solving new requirements from your
> > boss?
> > >> Contact me!
> > >>
> > >> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > >> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> > >>
> > >>
> > >> --
> > >> This message has been scanned for viruses and
> > >> dangerous content by MailScanner, and is
> > >> believed to be clean.
> > >>
> > >> --
> > >> MailScanner mailing list
> > >> mailscanner at lists.mailscanner.info
> > >> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> > >>
> > >> Before posting, read http://wiki.mailscanner.info/posting
> > >>
> > >> Support MailScanner development - buy the book off the website!
> > >>
> > >
> > >
> >
> > Jules
> >
> > --
> > Julian Field MEng CITP CEng
> > www.MailScanner.info
> > Buy the MailScanner book at www.MailScanner.info/store
> >
> > Need help customising MailScanner?
> > Contact me!
> > Need help fixing or optimising your systems?
> > Contact me!
> > Need help getting you started solving new requirements from your
> boss?
> > Contact me!
> >
> > PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> > Follow me at twitter.com/JulesFM and twitter.com/MailScanner
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > --
> > MailScanner mailing list
> > mailscanner at lists.mailscanner.info
> > http://lists.mailscanner.info/mailman/listinfo/mailscanner
> >
> > Before posting, read http://wiki.mailscanner.info/posting
> >
> > Support MailScanner development - buy the book off the website!
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!



More information about the MailScanner mailing list