More antivirus fun...

Kevin Miller kevin.miller at juneau.org
Mon Feb 25 20:30:11 UTC 2019


Following up on last weeks upgrades.

To wit, on a couple of my hosts clamd is working as advertised.  On a couple others, it's only partially working.  I ran MailScanner --lint on a fully working box, mxt, and a partially working box, mx1 and compared the /var/log/clamav/clamav.log files.

mxt:
Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

mx1:
Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/neicar.com: Can't open file or directory ERROR

So it appears that for whatever reason "neicar.com" isn't found on mx1, the partially working box.  The directory is available, as evidenced by the fist log entry.

I did a "locate neicar.com" on both hosts and neither returned a location for that filename, but perhaps it's created on the fly by the lint process?

Permissions match on both hosts.

It's a puzzler...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller
Sent: Friday, February 22, 2019 4:36 PM
To: 'MailScanner Discussion'
Subject: RE: More antivirus fun...

Thanks – it’s much appreciated!

I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is working just jiffy on them.
On two (of five) however, clamd is now acting sort of goofy.  MailScanner –lint report this:

	Virus and Content Scanning: Starting
	Clamd::INFECTED::Eicar-Test-Signature :: ./1/
	Clamd::ERROR:: Can't open file or directory ERROR :: ./1/neicar.com
	Virus Scanning: Clamd found 2 infections
	>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/2642/1/eicar.com
	Virus Scanning: Sophos found 1 infections
	Infected message 1 came from 10.1.1.1
	Virus Scanning: Found 3 viruses

It's catching viruses, but note line three - for some reason it "Can't open file or directory ERROR :: ./1/neicar.com"

The config is (or should be) the same on all the boxes.  I'm stumped.  Not going to worry about it until Monday (it's quitting time) and clamd seems to be catching the viruses so I guess it's safe to ignore for a couple days.

Have a great weekend all...


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner
Sent: Friday, February 22, 2019 2:45 PM
To: MailScanner Discussion
Cc: Shawn Iverson
Subject: Re: More antivirus fun...

Kevin,

You are in good hands :)

My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D  I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers.  The goal: blow it up here first before releasing it.

On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller <kevin.miller at juneau.org> wrote:
I should have said ramifications.  But you're quite right.  Good to know all the pieces are in place.

I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes.  Since I can create snapshots, it's easy to start over if I totally bollix it up.  

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro
Sent: Friday, February 22, 2019 12:23 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: More antivirus fun...

On 2/22/19 11:31 AM, Kevin Miller wrote:
> 
> One quick question.  The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]"  I said yes as that was the default, but wasn't really sure what the implications of that are.


The implication is should you now choose to configure the Postfix milter
option in MailScanner, you have the necessary pieces.

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner


-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us





-- 
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner



More information about the MailScanner mailing list