weird mailscanner clamd error

Rick Cooper rcooper at dwford.com
Thu Jan 6 16:41:56 GMT 2011


Julian would know more as to why this is set this way but in the latest
(don't know how far back this goes)  4.81.4 version of Message.pm line 3349
is
    $member->unixFileAttributes(0600);
what happens when you set this to $member->unixFileAttributes(0640);
 
That is the only place I noticed where, during the unzip process, the file
permissions apear to be set to 0600. clamav should work as it would be
executed under the mailscanner user and there should not be an issue with
the 0600 permissions.
 
Rick

  _____  

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Curu Wong
Sent: Thursday, January 06, 2011 3:40 AM
To: MailScanner discussion
Subject: Re: weird mailscanner clamd error


My system also has this problem. When a zip archive is scanned, I will
always get clamd error like:
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-----------------------------
Jan  5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied.
ERROR :: ./BAD697FE65.AD0DB/zbeyond3g.jpg
Jan  5 16:47:34 spamsnake MailScanner[3887]: Clamd::ERROR:: Access denied.
ERROR :: ./BAD697FE65.AD0DB/zchi_button-02.jpg
----------------------------------------------------------------------------
----------------------------------------------------------------------------
-----------------------------

all other attachent type, like rar, works fine.

the files in ms incoming queue get removed after it finished processing,
and I use this command to monitor file permissions under the incoming queue:

while true; do ls -lR /var/spool/MailScanner/incoming/ >> file_list.txt;
sleep 1;done

Send an email with rar attachment:
=======================================================
-rw-r----- 1 postfix www-data       4 2011-01-06 16:13 nmsg-24184-11.txt
-rw-r----- 1 postfix www-data 1536750 2011-01-06 16:13 nPI2.3.2.rar
-rw-r----- 1 postfix www-data  150576 2011-01-06 16:13 rPI2.3.2.pdf
-rw-r----- 1 postfix www-data 2141878 2011-01-06 16:13 rPoisonIvy2.3.2.exe
=======================================================

Send an email with zip attachment
=================================================
-rw-r----- 1 postfix www-data       4 2011-01-06 15:57 nmsg-24198-1.txt
-rw-r----- 1 postfix www-data 1665916 2011-01-06 15:57 ntest.zip
-rw------- 1 postfix www-data     238 2010-10-15 18:58 zall-wcprops
-rw------- 1 postfix www-data   23100 2010-10-15 18:58 zbeyond3g.jpg
-rw------- 1 postfix www-data   26180 2010-10-15 18:58 zchi_button-02.jpg
-rw------- 1 postfix www-data    2472 2010-10-15 23:33 zchi_button-reset.jpg
-rw------- 1 postfix www-data    2478 2010-10-15 23:33
zchi_button-submit.jpg
-rw------- 1 postfix www-data    6042 2010-10-18 15:34 zchi_edm.html
-rw------- 1 postfix www-data    4345 2010-10-18 15:35 zchi_web.html
========================================================

And I have this settings in MailScanner.conf:

Incoming Work Permissions = 0640

We can see that the test.zip file has the correct permissions, but its
extracted files have wrong permission.
In fact, even if I change Incoming Work Permissions to 0777, the file
permissions is still  rw------, so weird.

Can anyone point out the problem?

I think there maybe something wrong with the perl Archive::Zip module or MS
itself.


2011/1/5 Naz Snidanko <nsnidanko at harperpowerproducts.com>


MailScanner --lint was generating "found 2 viruses" instead of a proper
"found 1 virus". So I got fed up, scrapped clamd and went with clamav.
Clamav works as it should: --lint generates "found 1 virus" and no more
errors with .ZIP archives. This is a small site and speed should not be
a factor.

Tons of thanks,


Naz Snidanko
Desktop & Network Support
Harper Power Products Inc.
(p) 416 201- 7506
 nsnidanko at harperpowerproducts.com


-----Original Message-----
Date: Tue, 4 Jan 2011 14:45:51 -0500
From: "Rick Cooper" <rcooper at dwford.com>
Subject: RE: weird mailscanner clamd error
To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>

Message-ID: <3AD1272E15D14A43BD27F7E3F3C17BD1 at SAHOMELT>
Content-Type: text/plain; charset="us-ascii"

Have you attempted to manually scan an example file with clamscan or
clamdscan? (preferably as the same user as would mailscanner).  Have you
tried sending with MailScanner running in debug mode? The error you are
seeing is coming from clamd,

 _____

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Naz
Snidanko
Sent: Tuesday, January 04, 2011 10:07 AM
To: mailscanner at lists.mailscanner.info
Subject: Re: weird mailscanner clamd error



Glenn,



/tmp and incoming directories both have chmod 777. Also from my guess if
it
had something to do with permissions it would generate this error for
all
files, not just ZIP archives created by Winrar and Winzip programs. I
also
completely removed apparmor (even though it originally had rw
permissions
for clamd on incoming directory).



Is there a module within MailScanner that does .zip file extracting
before
it goes for a clamd scan?

Any help is much appreciated.

Thank you,

Naz Snidanko

Desktop & Network Support

Harper Power Products Inc.

(p) 416 201- 7506


 <mailto:nsnidanko at harperpowerproducts.com>

nsnidanko at harperpowerproducts.com

------------------------------



Message: 4

Date: Tue, 4 Jan 2011 11:40:03 +0100

From: Glenn Steen <glenn.steen at gmail.com>

Subject: Re: weird mailscanner clamd error

To: MailScanner discussion <mailscanner at lists.mailscanner.info>

Message-ID:

     <AANLkTikQ0EraC0imktQRZ-L-q2sqwqOE+503D-uSTMug at mail.gmail.com
<mailto:AANLkTikQ0EraC0imktQRZ-L-q2sqwqOE%2B503D-uSTMug at mail.gmail.com> >

Content-Type: text/plain; charset=windows-1252



On 3 January 2011 21:34, Naz Snidanko
<nsnidanko at harperpowerproducts.com>
wrote:

> I have weird stuff happening. When we put any file into ZIP archive
created

> from Winzip or Winrar I get the following log in mail.log:

>

>

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus and Content Scanning:
Starting

>

> Jan  3 15:14:43 ares MailScanner[5103]: Clamd::ERROR:: Access denied.
ERROR

> :: ./66522203B7.AD6EB/zRicohdeviceUsersetup.doc

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus Scanning: Clamd found 1

> infections

>

> Jan  3 15:14:43 ares MailScanner[5103]: Virus Scanning: Found 1
viruses

>

> Jan  3 15:14:43 ares MailScanner[5103]: Spam Checks: Starting

>

>

>

> File delivered after passing mailscanner to final destination.

>

>

>

> When I put the same file into ZIP archive using built-in Windows XP
engine

> it works flawlessly and no error log is generated. No error is
generated

> when same file is put within .rar archive either.

>

>

>

> I've tried different files anything from jpeg to pdf and end up with
error

> described above.

>

>

>

> Can someone point me in the right direct how to troubleshoot this
within

> mailscanner.

>

>

>

> System:

>

>

>

> Clamd 0.96.5

>

> Ubuntu Server 10.04

>

> MailScanner 4.82.3

>

> Perl 5.10.1

>

>

Check that both postfix and clamav (or whatever the users/groups are

called) have relevant perms... Run As User/Group and 0660 perms in

MailScanner.conf, correct perms on your incoming directory (perhaps

/var/spool/MailScanner/incoming), Also check your clamd settings, of

course.

Perhaps the most crucial bit though... is to make sure that you have

sane permissions on /tmp, and that they can create files/directories

there as needed.



Cheers

--

-- Glenn

email: glenn < dot > steen < at > gmail < dot > com

work: glenn < dot > steen < at > ap1 < dot > se




--
This message has been scanned for viruses and

dangerous content by  <http://www.mailscanner.info/> MailScanner, and is


believed to be clean.

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104
<http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110104%0A
/c3d769b6/attachment-0001.html> 
/c3d769b6/attachment-0001.html

------------------------------



--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!




-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20110106/edb07082/attachment.html


More information about the MailScanner mailing list