More antivirus fun...

Shawn Iverson iversons at rushville.k12.in.us
Mon Feb 25 23:00:38 UTC 2019 

The error message is pretty generic....could be it is not parsing properly,
or can't write the file after parsing, or can't open the directory, or
can't access the file...also add in the fact that MailScanner keeps the
files very briefly and dumps them after scanning...

The neicar.com is created as an attachment to the test message during
MailScanner lint testing and subsequently parsed as a regular message.  The
n is just a prefix added as part of the disarming process.

Are the versions of MIME::Parser the same on all the hosts?

On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson <iversons at rushville.k12.in.us>
wrote:

> Is the clam user in the mtagroup on all hosts?
>
> On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller <kevin.miller at juneau.org>
> wrote:
>
>> Following up on last weeks upgrades.
>>
>> To wit, on a couple of my hosts clamd is working as advertised.  On a
>> couple others, it's only partially working.  I ran MailScanner --lint on a
>> fully working box, mxt, and a partially working box, mx1 and compared the
>> /var/log/clamav/clamav.log files.
>>
>> mxt:
>> Mon Feb 25 10:47:48 2019 ->
>> /var/spool/MailScanner/incoming/65439/1.message:
>> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
>> Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/
>> neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68)
>> FOUND
>>
>> mx1:
>> Mon Feb 25 10:31:20 2019 ->
>> /var/spool/MailScanner/incoming/13106/1.message:
>> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
>> Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/
>> neicar.com: Can't open file or directory ERROR
>>
>> So it appears that for whatever reason "neicar.com" isn't found on mx1,
>> the partially working box.  The directory is available, as evidenced by the
>> fist log entry.
>>
>> I did a "locate neicar.com" on both hosts and neither returned a
>> location for that filename, but perhaps it's created on the fly by the lint
>> process?
>>
>> Permissions match on both hosts.
>>
>> It's a puzzler...
>>
>> ...Kevin
>> --
>> Kevin Miller
>> Network/email Administrator, CBJ MIS Dept.
>> 155 South Seward Street
>> Juneau, Alaska 99801
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
>> 307357
>>
>>
>> -----Original Message-----
>> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
>> juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller
>> Sent: Friday, February 22, 2019 4:36 PM
>> To: 'MailScanner Discussion'
>> Subject: RE: More antivirus fun...
>>
>> Thanks – it’s much appreciated!
>>
>> I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is
>> working just jiffy on them.
>> On two (of five) however, clamd is now acting sort of goofy.  MailScanner
>> –lint report this:
>>
>>         Virus and Content Scanning: Starting
>>         Clamd::INFECTED::Eicar-Test-Signature :: ./1/
>>         Clamd::ERROR:: Can't open file or directory ERROR :: ./1/
>> neicar.com
>>         Virus Scanning: Clamd found 2 infections
>>         >>> Virus 'EICAR-AV-Test' found in file
>> /var/spool/MailScanner/incoming/2642/1/eicar.com
>>         Virus Scanning: Sophos found 1 infections
>>         Infected message 1 came from 10.1.1.1
>>         Virus Scanning: Found 3 viruses
>>
>> It's catching viruses, but note line three - for some reason it "Can't
>> open file or directory ERROR :: ./1/neicar.com"
>>
>> The config is (or should be) the same on all the boxes.  I'm stumped.
>> Not going to worry about it until Monday (it's quitting time) and clamd
>> seems to be catching the viruses so I guess it's safe to ignore for a
>> couple days.
>>
>> Have a great weekend all...
>>
>>
>> ...Kevin
>> --
>> Kevin Miller
>> Network/email Administrator, CBJ MIS Dept.
>> 155 South Seward Street
>> Juneau, Alaska 99801
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
>> 307357
>>
>> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
>> juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via
>> MailScanner
>> Sent: Friday, February 22, 2019 2:45 PM
>> To: MailScanner Discussion
>> Cc: Shawn Iverson
>> Subject: Re: More antivirus fun...
>>
>> Kevin,
>>
>> You are in good hands :)
>>
>> My MailScanner test environment has grown to four physical hosts in a
>> cluster running various distributions of MailScanner and upgrade paths :D
>> I have (not kidding) about a dozen virtual machines with snapshots and now
>> some LXC containers.  The goal: blow it up here first before releasing it.
>>
>> On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller <kevin.miller at juneau.org>
>> wrote:
>> I should have said ramifications.  But you're quite right.  Good to know
>> all the pieces are in place.
>>
>> I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such
>> purposes.  Since I can create snapshots, it's easy to start over if I
>> totally bollix it up.
>>
>> ...Kevin
>> --
>> Kevin Miller
>> Network/email Administrator, CBJ MIS Dept.
>> 155 South Seward Street
>> Juneau, Alaska 99801
>> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No:
>> 307357
>>
>>
>> -----Original Message-----
>> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
>> juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro
>> Sent: Friday, February 22, 2019 12:23 PM
>> To: mailscanner at lists.mailscanner.info
>> Subject: Re: More antivirus fun...
>>
>> On 2/22/19 11:31 AM, Kevin Miller wrote:
>> >
>> > One quick question.  The upgrade process asked "Do you wish to install
>> the Sendmail::Milter interface? [yes]"  I said yes as that was the default,
>> but wasn't really sure what the implications of that are.
>>
>>
>> The implication is should you now choose to configure the Postfix milter
>> option in MailScanner, you have the necessary pieces.
>>
>> --
>> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
>> San Francisco Bay Area, California    better use your sense - B. Dylan
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>> --
>> Shawn Iverson, CETL
>> Director of Technology
>> Rush County Schools
>> 765-932-3901 option 7
>> iversons at rushville.k12.in.us
>>
>>
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 option 7
> iversons at rushville.k12.in.us
>
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190225/ca21986a/attachment.html>

More information about the MailScanner mailing list