More antivirus fun...

Kevin Miller kevin.miller at juneau.org
Mon Feb 25 23:49:56 UTC 2019


They are the same:  5.509   MIME::Parser


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: MailScanner [mailto:mailscanner-bounces+kevin.miller=juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via MailScanner
Sent: Monday, February 25, 2019 2:01 PM
To: MailScanner Discussion
Cc: Shawn Iverson
Subject: Re: More antivirus fun...

The error message is pretty generic....could be it is not parsing properly, or can't write the file after parsing, or can't open the directory, or can't access the file...also add in the fact that MailScanner keeps the files very briefly and dumps them after scanning...

The neicar.com<http://neicar.com> is created as an attachment to the test message during MailScanner lint testing and subsequently parsed as a regular message.  The n is just a prefix added as part of the disarming process.

Are the versions of MIME::Parser the same on all the hosts?

On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson <iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>> wrote:
Is the clam user in the mtagroup on all hosts?

On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller <kevin.miller at juneau.org<mailto:kevin.miller at juneau.org>> wrote:
Following up on last weeks upgrades.

To wit, on a couple of my hosts clamd is working as advertised.  On a couple others, it's only partially working.  I ran MailScanner --lint on a fully working box, mxt, and a partially working box, mx1 and compared the /var/log/clamav/clamav.log files.

mxt:
Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/neicar.com<http://neicar.com>: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND

mx1:
Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1.message: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/neicar.com<http://neicar.com>: Can't open file or directory ERROR

So it appears that for whatever reason "neicar.com<http://neicar.com>" isn't found on mx1, the partially working box.  The directory is available, as evidenced by the fist log entry.

I did a "locate neicar.com<http://neicar.com>" on both hosts and neither returned a location for that filename, but perhaps it's created on the fly by the lint process?

Permissions match on both hosts.

It's a puzzler...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller<mailto:mailscanner-bounces%2Bkevin.miller>=juneau.org at lists.mailscanner.info<mailto:juneau.org at lists.mailscanner.info>] On Behalf Of Kevin Miller
Sent: Friday, February 22, 2019 4:36 PM
To: 'MailScanner Discussion'
Subject: RE: More antivirus fun...

Thanks – it’s much appreciated!

I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is working just jiffy on them.
On two (of five) however, clamd is now acting sort of goofy.  MailScanner –lint report this:

        Virus and Content Scanning: Starting
        Clamd::INFECTED::Eicar-Test-Signature :: ./1/
        Clamd::ERROR:: Can't open file or directory ERROR :: ./1/neicar.com<http://neicar.com>
        Virus Scanning: Clamd found 2 infections
        >>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/2642/1/eicar.com<http://eicar.com>
        Virus Scanning: Sophos found 1 infections
        Infected message 1 came from 10.1.1.1
        Virus Scanning: Found 3 viruses

It's catching viruses, but note line three - for some reason it "Can't open file or directory ERROR :: ./1/neicar.com<http://neicar.com>"

The config is (or should be) the same on all the boxes.  I'm stumped.  Not going to worry about it until Monday (it's quitting time) and clamd seems to be catching the viruses so I guess it's safe to ignore for a couple days.

Have a great weekend all...


...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357

From: MailScanner [mailto:mailscanner-bounces+kevin.miller<mailto:mailscanner-bounces%2Bkevin.miller>=juneau.org at lists.mailscanner.info<mailto:juneau.org at lists.mailscanner.info>] On Behalf Of Shawn Iverson via MailScanner
Sent: Friday, February 22, 2019 2:45 PM
To: MailScanner Discussion
Cc: Shawn Iverson
Subject: Re: More antivirus fun...

Kevin,

You are in good hands :)

My MailScanner test environment has grown to four physical hosts in a cluster running various distributions of MailScanner and upgrade paths :D  I have (not kidding) about a dozen virtual machines with snapshots and now some LXC containers.  The goal: blow it up here first before releasing it.

On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller <kevin.miller at juneau.org<mailto:kevin.miller at juneau.org>> wrote:
I should have said ramifications.  But you're quite right.  Good to know all the pieces are in place.

I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such purposes.  Since I can create snapshots, it's easy to start over if I totally bollix it up.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces+kevin.miller<mailto:mailscanner-bounces%2Bkevin.miller>=juneau.org at lists.mailscanner.info<mailto:juneau.org at lists.mailscanner.info>] On Behalf Of Mark Sapiro
Sent: Friday, February 22, 2019 12:23 PM
To: mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
Subject: Re: More antivirus fun...

On 2/22/19 11:31 AM, Kevin Miller wrote:
>
> One quick question.  The upgrade process asked "Do you wish to install the Sendmail::Milter interface? [yes]"  I said yes as that was the default, but wasn't really sure what the implications of that are.


The implication is should you now choose to configure the Postfix milter
option in MailScanner, you have the necessary pieces.

--
Mark Sapiro <mark at msapiro.net<mailto:mark at msapiro.net>>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan


--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner


--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>





--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner



--
MailScanner mailing list
mailscanner at lists.mailscanner.info<mailto:mailscanner at lists.mailscanner.info>
http://lists.mailscanner.info/mailman/listinfo/mailscanner


--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

[https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ]
[https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ]


--
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us<mailto:iversons at rushville.k12.in.us>

[https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ][https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ]
[https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190225/0aa4e034/attachment-0001.html>


More information about the MailScanner mailing list