More antivirus fun...

Shawn Iverson iversons at rushville.k12.in.us
Fri Feb 22 05:18:23 UTC 2019


Kevin,

https://github.com/MailScanner/v5/pull/353

On Thu, Feb 21, 2019 at 8:03 PM Kevin Miller <kevin.miller at juneau.org>
wrote:

> Re: my previous message, I change the owner/group of
> /var/spool/MailScanner/incoming/clamav-tmp to postfix:mtagroup and it
> cleaned up the permissions error I had noted.
>
> In my further testing, I configured MailScanner to only use Sophos rather
> than it and clamav.  It detects messages as viral, but let doesn't
> quarantine them (using clamd does).
>
> From my mail.log:
> Feb 21 15:50:07 mxt MailScanner[3122]: Virus and Content Scanning: Starting
> Feb 21 15:50:15 mxt MailScanner[3122]: >>> Virus 'EICAR-AV-Test' found in
> file /var/pool/MailScanner/incoming/3122/836C01002EF.AD186/nmsg-3122-1.txt
> Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Sophos found 1
> infections
> Feb 21 15:50:15 mxt MailScanner[3122]: Infected message var came from
> Feb 21 15:50:15 mxt MailScanner[3122]: Virus Scanning: Found 1 viruses
> Feb 21 15:50:36 mxt MailScanner[3122]: Requeue: 836C01002EF.AD186 to
> E6FF31005DD
> Feb 21 15:50:36 mxt MailScanner[3122]: Uninfected: Delivered 1 messages
>
> There's several oddities such as "var/pool" rather than "/var/spool".
> Lines 3 - 5 clearly note the infection but the message is requeued and
> sent through as if it was clean.  Really odd.
>
> Testing the wrapper from the CLI I got the following output which seems
> pretty much what one would expect:
> ===================================
> root at mxt:/opt/sophos-av/bin# /usr/lib/MailScanner/wrapper/sophos-wrapper
> /opt/sophos-av/ /tmp
> SAVScan virus detection utility
> Version 5.53.0 [Linux/AMD64]
> Virus data version 5.60, February 2019
> Includes detection for 30926993 viruses, Trojans and worms
> Copyright (c) 1989-2019 Sophos Limited. All rights reserved.
>
> System time 15:46:59, System date 21 February 2019
>
> IDE directory is: /opt/sophos-av/lib/sav
>
> Using IDE file tofse-cl.ide
> ...dozens of similar lines snipped...
> Using IDE file docd-rwe.ide
>
> Quick Scanning
>
> 0 files scanned in 8 seconds.
> No viruses were discovered.
> End of Scan.
> ===================================
>
> MailScanner --lint gave the following:
>
> MailScanner.conf says "Virus Scanners = sophos"
> Found these virus scanners installed: sophos, clamd
> ===========================================================================
> Filename Checks: Windows/DOS Executable (1 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
> >>> Virus 'EICAR-AV-Test' found in file
> /var/pool/MailScanner/incoming/5033/1/neicar.com
> Virus Scanning: Sophos found 1 infections
> Infected message var came from
> Virus Scanning: Found 1 viruses
>
> There seems to be some piece of the puzzle that apparently has a typo in
> it, leading to the "var/pool" error and probably the reason the message is
> delivered even though noted as a virus.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190222/9f7202ab/attachment.html>


More information about the MailScanner mailing list