More antivirus fun...

Shawn Iverson iversons at rushville.k12.in.us
Mon Feb 25 23:53:19 UTC 2019


Are the permissions the same alone the entire directory tree? from /var all
the way down?

On Mon, Feb 25, 2019 at 6:50 PM Kevin Miller <kevin.miller at juneau.org>
wrote:

> They are the same:  5.509   MIME::Parser
>
>
>
>
>
> ...Kevin
>
> --
>
> Kevin Miller
>
> Network/email Administrator, CBJ MIS Dept.
>
> 155 South Seward Street
>
> Juneau, Alaska 99801
>
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
>
> *From:* MailScanner [mailto:mailscanner-bounces+kevin.miller=
> juneau.org at lists.mailscanner.info] *On Behalf Of *Shawn Iverson via
> MailScanner
> *Sent:* Monday, February 25, 2019 2:01 PM
> *To:* MailScanner Discussion
> *Cc:* Shawn Iverson
> *Subject:* Re: More antivirus fun...
>
>
>
> The error message is pretty generic....could be it is not parsing
> properly, or can't write the file after parsing, or can't open the
> directory, or can't access the file...also add in the fact that MailScanner
> keeps the files very briefly and dumps them after scanning...
>
>
>
> The neicar.com is created as an attachment to the test message during
> MailScanner lint testing and subsequently parsed as a regular message.  The
> n is just a prefix added as part of the disarming process.
>
>
>
> Are the versions of MIME::Parser the same on all the hosts?
>
>
>
> On Mon, Feb 25, 2019 at 3:33 PM Shawn Iverson <
> iversons at rushville.k12.in.us> wrote:
>
> Is the clam user in the mtagroup on all hosts?
>
>
>
> On Mon, Feb 25, 2019 at 3:30 PM Kevin Miller <kevin.miller at juneau.org>
> wrote:
>
> Following up on last weeks upgrades.
>
> To wit, on a couple of my hosts clamd is working as advertised.  On a
> couple others, it's only partially working.  I ran MailScanner --lint on a
> fully working box, mxt, and a partially working box, mx1 and compared the
> /var/log/clamav/clamav.log files.
>
> mxt:
> Mon Feb 25 10:47:48 2019 ->
> /var/spool/MailScanner/incoming/65439/1.message:
> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
> Mon Feb 25 10:47:48 2019 -> /var/spool/MailScanner/incoming/65439/1/
> neicar.com: Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68)
> FOUND
>
> mx1:
> Mon Feb 25 10:31:20 2019 ->
> /var/spool/MailScanner/incoming/13106/1.message:
> Eicar-Test-Signature(44d88612fea8a8f36de82e1278abb02f:68) FOUND
> Mon Feb 25 10:31:20 2019 -> /var/spool/MailScanner/incoming/13106/1/
> neicar.com: Can't open file or directory ERROR
>
> So it appears that for whatever reason "neicar.com" isn't found on mx1,
> the partially working box.  The directory is available, as evidenced by the
> fist log entry.
>
> I did a "locate neicar.com" on both hosts and neither returned a location
> for that filename, but perhaps it's created on the fly by the lint process?
>
> Permissions match on both hosts.
>
> It's a puzzler...
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
> juneau.org at lists.mailscanner.info] On Behalf Of Kevin Miller
> Sent: Friday, February 22, 2019 4:36 PM
> To: 'MailScanner Discussion'
> Subject: RE: More antivirus fun...
>
> Thanks – it’s much appreciated!
>
> I have my boxes upgraded to MailScanner version: 5.1.3, and Sophos is
> working just jiffy on them.
> On two (of five) however, clamd is now acting sort of goofy.  MailScanner
> –lint report this:
>
>         Virus and Content Scanning: Starting
>         Clamd::INFECTED::Eicar-Test-Signature :: ./1/
>         Clamd::ERROR:: Can't open file or directory ERROR :: ./1/
> neicar.com
>         Virus Scanning: Clamd found 2 infections
>         >>> Virus 'EICAR-AV-Test' found in file
> /var/spool/MailScanner/incoming/2642/1/eicar.com
>         Virus Scanning: Sophos found 1 infections
>         Infected message 1 came from 10.1.1.1
>         Virus Scanning: Found 3 viruses
>
> It's catching viruses, but note line three - for some reason it "Can't
> open file or directory ERROR :: ./1/neicar.com"
>
> The config is (or should be) the same on all the boxes.  I'm stumped.  Not
> going to worry about it until Monday (it's quitting time) and clamd seems
> to be catching the viruses so I guess it's safe to ignore for a couple days.
>
> Have a great weekend all...
>
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
> juneau.org at lists.mailscanner.info] On Behalf Of Shawn Iverson via
> MailScanner
> Sent: Friday, February 22, 2019 2:45 PM
> To: MailScanner Discussion
> Cc: Shawn Iverson
> Subject: Re: More antivirus fun...
>
> Kevin,
>
> You are in good hands :)
>
> My MailScanner test environment has grown to four physical hosts in a
> cluster running various distributions of MailScanner and upgrade paths :D
> I have (not kidding) about a dozen virtual machines with snapshots and now
> some LXC containers.  The goal: blow it up here first before releasing it.
>
> On Fri, Feb 22, 2019 at 6:15 PM Kevin Miller <kevin.miller at juneau.org>
> wrote:
> I should have said ramifications.  But you're quite right.  Good to know
> all the pieces are in place.
>
> I keep a test virtual Mailscanner/MailWatch/Postbox on hand for such
> purposes.  Since I can create snapshots, it's easy to start over if I
> totally bollix it up.
>
> ...Kevin
> --
> Kevin Miller
> Network/email Administrator, CBJ MIS Dept.
> 155 South Seward Street
> Juneau, Alaska 99801
> Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357
>
>
> -----Original Message-----
> From: MailScanner [mailto:mailscanner-bounces+kevin.miller=
> juneau.org at lists.mailscanner.info] On Behalf Of Mark Sapiro
> Sent: Friday, February 22, 2019 12:23 PM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: More antivirus fun...
>
> On 2/22/19 11:31 AM, Kevin Miller wrote:
> >
> > One quick question.  The upgrade process asked "Do you wish to install
> the Sendmail::Milter interface? [yes]"  I said yes as that was the default,
> but wasn't really sure what the implications of that are.
>
>
> The implication is should you now choose to configure the Postfix milter
> option in MailScanner, you have the necessary pieces.
>
> --
> Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
> San Francisco Bay Area, California    better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
> --
> Shawn Iverson, CETL
> Director of Technology
> Rush County Schools
> 765-932-3901 option 7
> iversons at rushville.k12.in.us
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
>
>
> --
>
> Shawn Iverson, CETL
>
> Director of Technology
>
> Rush County Schools
>
> 765-932-3901 option 7
>
> iversons at rushville.k12.in.us
>
>
>
>
>
> --
>
> Shawn Iverson, CETL
>
> Director of Technology
>
> Rush County Schools
>
> 765-932-3901 option 7
>
> iversons at rushville.k12.in.us
>
>
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>

-- 
Shawn Iverson, CETL
Director of Technology
Rush County Schools
765-932-3901 option 7
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190225/42b9837b/attachment.html>


More information about the MailScanner mailing list