More antivirus fun...
kevin.miller at juneau.org
Fri Feb 22 01:02:53 UTC 2019
Re: my previous message, I change the owner/group of /var/spool/MailScanner/incoming/clamav-tmp to postfix:mtagroup and it cleaned up the permissions error I had noted.
In my further testing, I configured MailScanner to only use Sophos rather than it and clamav. It detects messages as viral, but let doesn't quarantine them (using clamd does).
>From my mail.log:
Feb 21 15:50:07 mxt MailScanner: Virus and Content Scanning: Starting
Feb 21 15:50:15 mxt MailScanner: >>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/3122/836C01002EF.AD186/nmsg-3122-1.txt
Feb 21 15:50:15 mxt MailScanner: Virus Scanning: Sophos found 1 infections
Feb 21 15:50:15 mxt MailScanner: Infected message var came from
Feb 21 15:50:15 mxt MailScanner: Virus Scanning: Found 1 viruses
Feb 21 15:50:36 mxt MailScanner: Requeue: 836C01002EF.AD186 to E6FF31005DD
Feb 21 15:50:36 mxt MailScanner: Uninfected: Delivered 1 messages
There's several oddities such as "var/pool" rather than "/var/spool".
Lines 3 - 5 clearly note the infection but the message is requeued and sent through as if it was clean. Really odd.
Testing the wrapper from the CLI I got the following output which seems pretty much what one would expect:
root at mxt:/opt/sophos-av/bin# /usr/lib/MailScanner/wrapper/sophos-wrapper /opt/sophos-av/ /tmp
SAVScan virus detection utility
Version 5.53.0 [Linux/AMD64]
Virus data version 5.60, February 2019
Includes detection for 30926993 viruses, Trojans and worms
Copyright (c) 1989-2019 Sophos Limited. All rights reserved.
System time 15:46:59, System date 21 February 2019
IDE directory is: /opt/sophos-av/lib/sav
Using IDE file tofse-cl.ide
...dozens of similar lines snipped...
Using IDE file docd-rwe.ide
0 files scanned in 8 seconds.
No viruses were discovered.
End of Scan.
MailScanner --lint gave the following:
MailScanner.conf says "Virus Scanners = sophos"
Found these virus scanners installed: sophos, clamd
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/5033/1/neicar.com
Virus Scanning: Sophos found 1 infections
Infected message var came from
Virus Scanning: Found 1 viruses
There seems to be some piece of the puzzle that apparently has a typo in it, leading to the "var/pool" error and probably the reason the message is delivered even though noted as a virus.
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
More information about the MailScanner