MailScanner 4.78.17 doesn't detect viruses, have checked tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)

Julian Field MailScanner at ecs.soton.ac.uk
Thu Jan 14 14:32:18 GMT 2010


I've got a whole rack full of virtualisation hardware available here, 
thanks anyway.

If you want to make a small donation, there are quite a few things on my 
amazon.co.uk wishlist, any of which would be very much appreciated! The 
side-cutters would be most appreciated at the moment, but anything you 
like the price/look of would go down well :-)

Thanks,
Jules.

On 14/01/2010 14:07, Sunny Forro wrote:
> Jules,
> Thanks a million for your help. I'd like to contribute to the
> development of MailScanner but am far from well-versed in perl. I'm
> fairly well versed in FreeBSD (that's my preferred install). Would a
> virtual machine with ssh help you out any?
> Thanks,
> Sunny Forro
>
>
>    
>> -----Original Message-----
>> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
>> bounces at lists.mailscanner.info] On Behalf Of Jules Field
>> Sent: Tuesday, January 12, 2010 2:00 PM
>> To: MailScanner discussion
>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have checked
>> tmp permissions and no symlink, reinstalled clamav (worked in 4.77.10)
>>
>> Any chance you could give me remote ssh root access to your server so
>>      
> I
>    
>> can debug it for you and see what output you're getting from clamav
>>      
> and
>    
>> why it isn't parsing it properly?
>> I've got a reputation to protect, so I'm not going to do anything bad
>> to
>> you!
>>
>> If it takes less than a couple of hours, I'll do it for free too. :)
>>
>> Contact me by email if you're interested.
>>
>> Jules.
>>
>> On 12/01/2010 18:05, Sunny Forro wrote:
>>      
>>> I've rerun the ./install.sh script - again to no effect. However, I
>>> discovered that MailScanner is properly parsing mcafee's output but
>>>        
>> not
>>      
>>> clamavs. When I lint with my virus scanners set to "clamav mcafee"
>>>        
> it
>    
>>> picks up Eicar from mcafee, but nothing from clamav. If I set it to
>>> "clamav" it doesn't pick up Eicar at all.
>>>
>>> Side Note: I have a paid version of McAfee that I have used until
>>> recently, when I discovered that the latest release of mcafee for
>>>        
> BSD
>    
>>> still relies on an outdated compatibility library (compat3x) that
>>> doesn't properly install and isn't included in any release since
>>> FreeBSD5. It also spikes my CPU to 100% while scanning mail and
>>>        
> slows
>    
>>> the whole process to a crawl. Running clamav only with a previous
>>> release of MailScanner produces more reliable results because when
>>>        
>> my
>>      
>>> CPU hits 100% (using mcafee and clamav) mail begins to flow through
>>> completely untouched.
>>>
>>> Sunny
>>>
>>>
>>>
>>>        
>>>> -----Original Message-----
>>>> From: mailscanner-bounces at lists.mailscanner.info
>>>>          
>> [mailto:mailscanner-
>>      
>>>> bounces at lists.mailscanner.info] On Behalf Of Jules Field
>>>> Sent: Tuesday, January 12, 2010 12:27 PM
>>>> To: MailScanner discussion
>>>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>>          
>> checked
>>      
>>>> tmp permissions and no symlink, reinstalled clamav (worked in
>>>>          
>> 4.77.10)
>>      
>>>> And if you re-run the ./install.sh from MailScanner, just to be
>>>>
>>>>          
>>> doubly-
>>>
>>>        
>>>> sure?
>>>>
>>>> On 12/01/2010 16:49, Sunny Forro wrote:
>>>>
>>>>          
>>>>> Rich, thanks for the reply.
>>>>>
>>>>> I've gone through and checked the versions of all the perl-tars
>>>>> against what's installed (and reinstalled some of them to make
>>>>>            
> sure
>    
>>>>> the versions match). Everything that I've checked matches the
>>>>>
>>>>>            
>>>> expected
>>>>
>>>>          
>>>>> versions for this release of MailScanner.
>>>>>
>>>>> Sunny
>>>>>
>>>>> *From:* mailscanner-bounces at lists.mailscanner.info
>>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] *On Behalf Of
>>>>> *Richard Lynch
>>>>> *Sent:* Tuesday, January 12, 2010 11:35 AM
>>>>> *To:* MailScanner discussion
>>>>> *Subject:* Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>>> checked tmp permissions and no symlink, reinstalled clamav (worked
>>>>>
>>>>>            
>>> in
>>>
>>>        
>>>>> 4.77.10)
>>>>>
>>>>> Sunny Forro wrote:
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From:mailscanner-bounces at lists.mailscanner.info
>>>>>
>>>>>            
>>> <mailto:mailscanner-
>>>
>>>        
>>>> bounces at lists.mailscanner.info>
>>>>
>>>>          
>>>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of
>>>>>
>>>>>            
>>>> Julian
>>>>
>>>>          
>>>>> Field
>>>>> Sent: Tuesday, January 12, 2010 11:02 AM
>>>>> To: MailScanner discussion
>>>>> Subject: Re: MailScanner 4.78.17 doesn't detect viruses, have
>>>>>
>>>>>            
>>> checked
>>>
>>>        
>>>>> tmp permissions and no symlink, reinstalled clamav (worked in
>>>>>
>>>>>            
>>>> 4.77.10)
>>>>
>>>>          
>>>>> Check your virus.scanners.conf file to ensure it is pointing at
>>>>>            
> the
>    
>>>>> correct place for clamav.
>>>>> If "which clamscan" reports /usr/local/bin/clamscan then the
>>>>>            
> clamav
>    
>>>>>            
>>>> line
>>>>
>>>>          
>>>>> in virus.scanners.conf should end in "/usr/local" and if it
>>>>>            
> reports
>    
>>>>> /usr/bin/clamscan then the line should end in "/usr".
>>>>>
>>>>> That would be the first place to look. Then "MailScanner --lint"
>>>>>
>>>>>            
>>>> should
>>>>
>>>>          
>>>>> detect the EICAR test pattern successfully. Once "MailScanner
>>>>>
>>>>>            
>>> --lint"
>>>
>>>        
>>>>> works, you're there.
>>>>>
>>>>> Jules.
>>>>>
>>>>>
>>>>> ------ Outlook sucks -----------
>>>>>
>>>>> Jules, thanks for the reply!
>>>>> I checked "which clamscan" and yes it does point to
>>>>> /usr/local/bin/clamscan. The clamav line in virus.scanners.conf
>>>>>            
>> does
>>      
>>>>>            
>>>> end
>>>>
>>>>          
>>>>> in /usr/local. Still no lint under 4.78.17, but works fine under
>>>>> pervious versions on the same box. Using clamav-wrapper to do a
>>>>>            
>> scan
>>      
>>>>>            
>>>> of
>>>>
>>>>          
>>>>> /tmp gives me sensible output however.
>>>>>
>>>>> Sunny
>>>>>
>>>>>
>>>>>
>>>>> On 12/01/2010 15:45, Sunny Forro wrote:
>>>>>
>>>>>
>>>>>       Hello,
>>>>>
>>>>>
>>>>>
>>>>>       I've just upgraded to 4.78.17 and now mailscanner doesn't
>>>>>            
>> report
>>      
>>>>>       viruses detected by clamav in production or lint. I've
>>>>>            
> scanned
>    
>>>>>            
>>>> the
>>>>
>>>>          
>>>>>       /tmp directory with clamav-wrapper and get sensible clam
>>>>>            
>> output.
>>      
>>>>>            
>>>> /tmp
>>>>
>>>>          
>>>>>       is not symlinked. I've reinstalled clamav, and manually
>>>>>
>>>>>            
>>>> reinstalled
>>>>
>>>>          
>>>>>       all the per-tars from the install directory. I've even tried
>>>>>
>>>>>       downgrading MIME-tools to 5.420 (as found on another post),
>>>>>            
>> but
>>      
>>>>>            
>>>> to no
>>>>
>>>>          
>>>>>       effect (and since reinstalled from perl-tar to 5.427). I've
>>>>>
>>>>>            
>>>> removed
>>>>
>>>>          
>>>>>       and reinstalled Perl5.8.9, also to no effect. I'm running
>>>>>
>>>>>            
>>>> MS4.78.17,
>>>>
>>>>          
>>>>>       SA3.2.5, Clam0.95.3, sendmail 8.14.3 on FreeBSD7.0p9, w/
>>>>>
>>>>>            
>>>> mailwatch
>>>>
>>>>          
>>>>>       1.0.4, apache13, mysql5077, php5, virtualized through VMWare
>>>>>
>>>>>            
>>>> VSphere
>>>>
>>>>          
>>>>>       4.0. I've switched back to 4.77.10 as this properly
>>>>>            
> identifies
>    
>>>>>            
>>>> virii.
>>>>
>>>>          
>>>>>       I'm out of ideas - Any suggestions? Is there something else I
>>>>>
>>>>>            
>>>> need to
>>>>
>>>>          
>>>>>       check, or something else I missed?
>>>>>
>>>>>
>>>>>
>>>>>       Any help would be greatly appreciated.
>>>>>
>>>>>
>>>>>
>>>>>       Sunny Forro
>>>>>
>>>>>
>>>>>
>>>>>       P.S. Thanks a million to Julian Field for a fantastic
>>>>>            
> solution
>    
>>>>>            
>>> to
>>>
>>>        
>>>> the
>>>>
>>>>          
>>>>>       deluge of spam we had grown accustomed to.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Jules
>>>>>
>>>>>
>>>>>
>>>>> This may be totally unrelated but I had a similar problem like
>>>>>            
> this
>    
>>>>>            
>>>> at
>>>>
>>>>          
>>>>> one point. It turned out that the perl I was running had version
>>>>>
>>>>>            
>>> 0.16
>>>
>>>        
>>>>> of perl-File-Temp builtin and the version that came packaged with
>>>>> MailScanner was 0.19. When perl was updated v0.19 was removed. I
>>>>>
>>>>>            
>>>> ended
>>>>
>>>>          
>>>>> up having to do a rpm --force on the version that came packaged
>>>>>            
>> with
>>      
>>>>> MailScanner.
>>>>>
>>>>> This is all from vague memories and I may not have the scenario
>>>>> exactly right. It took me a while to find it though. Check the
>>>>>
>>>>>            
>>>> version
>>>>
>>>>          
>>>>> of File::Temp that you are using. I know that once I got the
>>>>>            
>> correct
>>      
>>>>> version installed MailScanner --lint started producing expected
>>>>> results with my virus scanners.
>>>>>
>>>>> Rich
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> "Of all tyrannies, a tyranny exercised for the good of its victims
>>>>>
>>>>>            
>>>> may
>>>>
>>>>          
>>>>> be the most oppressive. It may be better to live under robber
>>>>>            
>> barons
>>      
>>>>> than omnipotent moral busybodies. The robber baron's cruelty may
>>>>> sometimes sleep, his cupidity may at some point be satiated; but
>>>>>
>>>>>            
>>>> those
>>>>
>>>>          
>>>>> who torment us for our own good will torment us without end, for
>>>>>
>>>>>            
>>> they
>>>
>>>        
>>>> do
>>>>
>>>>          
>>>>> so with the approval of their own conscience."
>>>>>
>>>>>      -- C.S. Lewis
>>>>>
>>>>>
>>>>>            
>>>> Jules
>>>>
>>>> --
>>>> Julian Field MEng CITP CEng
>>>> www.MailScanner.info
>>>> Buy the MailScanner book at www.MailScanner.info/store
>>>>
>>>> Need help customising MailScanner?
>>>> Contact me!
>>>> Need help fixing or optimising your systems?
>>>> Contact me!
>>>> Need help getting you started solving new requirements from your
>>>>          
>> boss?
>>      
>>>> Contact me!
>>>>
>>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>>>
>>>>
>>>> --
>>>> This message has been scanned for viruses and
>>>> dangerous content by MailScanner, and is
>>>> believed to be clean.
>>>>
>>>> --
>>>> MailScanner mailing list
>>>> mailscanner at lists.mailscanner.info
>>>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>>>
>>>> Before posting, read http://wiki.mailscanner.info/posting
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>          
>>>
>>>        
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> Need help customising MailScanner?
>> Contact me!
>> Need help fixing or optimising your systems?
>> Contact me!
>> Need help getting you started solving new requirements from your boss?
>> Contact me!
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> Follow me at twitter.com/JulesFM and twitter.com/MailScanner
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>      
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list