More antivirus fun...

Kevin Miller kevin.miller at juneau.org
Fri Feb 22 01:02:53 UTC 2019 

Re: my previous message, I change the owner/group of /var/spool/MailScanner/incoming/clamav-tmp to postfix:mtagroup and it cleaned up the permissions error I had noted.

In my further testing, I configured MailScanner to only use Sophos rather than it and clamav.  It detects messages as viral, but let doesn't quarantine them (using clamd does).  

>From my mail.log:
Feb 21 15:50:07 mxt MailScanner[3122]: Virus and Content Scanning: Starting
Feb 21 15:50:15 mxt MailScanner[3122]: >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/3122/836C01002EF.AD186/nmsg-3122-1.txt
Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Sophos found 1 infections
Feb 21 15:50:15 mxt MailScanner[3122]: Infected message var came from
Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Found 1 viruses
Feb 21 15:50:36 mxt MailScanner[3122]: Requeue: 836C01002EF.AD186 to E6FF31005DD
Feb 21 15:50:36 mxt MailScanner[3122]: Uninfected: Delivered 1 messages

There's several oddities such as "var/pool" rather than "/var/spool".
Lines 3 - 5 clearly note the infection but the message is requeued and sent through as if it was clean.  Really odd.

Testing the wrapper from the CLI I got the following output which seems pretty much what one would expect:
===================================
root at mxt:/opt/sophos-av/bin# /usr/lib/MailScanner/wrapper/sophos-wrapper  /opt/sophos-av/ /tmp
SAVScan virus detection utility
Version 5.53.0 [Linux/AMD64]
Virus data version 5.60, February 2019
Includes detection for 30926993 viruses, Trojans and worms
Copyright (c) 1989-2019 Sophos Limited. All rights reserved.

System time 15:46:59, System date 21 February 2019

IDE directory is: /opt/sophos-av/lib/sav

Using IDE file tofse-cl.ide
...dozens of similar lines snipped...
Using IDE file docd-rwe.ide

Quick Scanning

0 files scanned in 8 seconds.
No viruses were discovered.
End of Scan.
===================================

MailScanner --lint gave the following:

MailScanner.conf says "Virus Scanners = sophos"
Found these virus scanners installed: sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/5033/1/neicar.com
Virus Scanning: Sophos found 1 infections
Infected message var came from 
Virus Scanning: Found 1 viruses

There seems to be some piece of the puzzle that apparently has a typo in it, leading to the "var/pool" error and probably the reason the message is delivered even though noted as a virus.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

More information about the MailScanner mailing list