<div dir="ltr">Added patch for next release.</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Dec 4, 2018 at 8:08 AM Nerijus Baliunas <<a href="mailto:nerijus@users.sourceforge.net">nerijus@users.sourceforge.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
I've got another similar problem. When scanning manually:<br>
<br>
name="message", threat="", action="", info="error reading archive"<br>
name="message » MIME » noname", threat="", action="", info="error reading archive"<br>
name="message » MIME » noname » TNEF » attachment.bin", threat="", action="", info="error reading archive"<br>
<br>
Could you please apply the following patch:<br>
<br>
--- SweepViruses.pm.orig 2018-10-26 13:46:13.000000000 +0300<br>
+++ SweepViruses.pm 2018-12-04 14:56:24.659909451 +0200<br>
@@ -1915,6 +1915,9 @@<br>
# archive damaged<br>
return 0 if $line =~ m/archive damaged/i;<br>
<br>
+ # error reading archive<br>
+ return 0 if $line =~ m/error reading archive/i;<br>
+<br>
my ($a, $b, $c, $d) = split(/,/, $line);<br>
my ($filename) = $a =~ m/\"(.*)\"/;<br>
my ($threat) = $b =~ m/\"(.*)\"/;<br>
<br>
?<br>
<br>
Thanks,<br>
Nerijus<br>
<br>
On Fri, 12 Oct 2018 15:31:43 +0300 Nerijus Baliunas <<a href="mailto:nerijus@users.sourceforge.net" target="_blank">nerijus@users.sourceforge.net</a>> wrote:<br>
<br>
> I got the file. Here is the output of a virus:<br>
> <br>
> # /opt/eset/esets/sbin/esets_scan .<br>
> ...<br>
> name="./eicar", threat="Eicar test file", action="cleaned by deleting", info=""<br>
> ...<br>
> # echo $?<br>
> 1<br>
> <br>
> Output of false positive:<br>
> <br>
> # /opt/eset/esets/sbin/esets_scan .<br>
> ...<br>
> name="./test.zip", threat="", action="", info="archive damaged"<br>
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip", threat="", action="", info="archive damaged"<br>
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._DIN-Black.zip » ZIP » ", threat="", action="", info="archive damaged"<br>
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip", threat="", action="", info="archive damaged"<br>
> name="./test.zip » ZIP » __MACOSX/R/Typefaces/._Sanchez Light .zip » ZIP » ", threat="", action="", info="archive damaged"<br>
> ...<br>
> # echo $?<br>
> 10<br>
> <br>
> Archives are OK, I can view/extract them, so it is most probably a bug in esets scanner itself.<br>
> Empty threat (threat="") with info="archive damaged" should probably be allowed.<br>
> <br>
> On Thu, 11 Oct 2018 08:50:31 -0400 Shawn Iverson via MailScanner <<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a>> wrote:<br>
> <br>
> > That is most likely the esets wrapper and SweepViruses.pm function failing<br>
> > to parse the output of the virus scanner properly.<br>
> > <br>
> > I would start there and run a manual scan based on the parameters in the<br>
> > wrapper against a file that triggers the problem. I would then take a look<br>
> > at the ProcessEsetsOutput function and see if the regex in there make sense<br>
> > for the output.<br>
> > <br>
> > On Thu, Oct 11, 2018 at 5:34 AM Nerijus Baliunas <<br>
> > <a href="mailto:nerijus@users.sourceforge.net" target="_blank">nerijus@users.sourceforge.net</a>> wrote:<br>
> > <br>
> > > Hello,<br>
> > ><br>
> > > I use latest mailscanner 5.1.1-1 with esets. It works OK, but occasionally<br>
> > > it "detects" viruses in harmless files. For example:<br>
> > ><br>
> > > Oct 11 11:55:18 mail MailScanner[3063]: New Batch: Scanning 1 messages,<br>
> > > 4623339 bytes<br>
> > > Oct 11 11:55:19 mail MailScanner[3063]: Virus and Content Scanning:<br>
> > > Starting<br>
> > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:24 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Esets::INFECTED::<br>
> > > Oct 11 11:55:25 mail MailScanner[3063]: Virus Scanning: esets found 17<br>
> > > infections<br>
> > > Oct 11 11:55:26 mail MailScanner[3063]: Infected message<br>
> > > 9231B2A14054.A15A2 came from 192.168.x.x<br>
> > > Oct 11 11:55:26 mail MailScanner[3063]: Virus Scanning: Found 17 viruses<br>
> > ><br>
> > > While a real virus output looks like this:<br>
> > > Oct 11 01:39:44 mail MailScanner[4184]: New Batch: Scanning 1 messages,<br>
> > > 2104 bytes<br>
> > > Oct 11 01:39:44 mail MailScanner[4184]: Virus and Content Scanning:<br>
> > > Starting<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Esets::INFECTED::Eicar test file<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: esets found 3<br>
> > > infections<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Infected message<br>
> > > EF7F72A14053.A770C came from 5.2.x.x<br>
> > > Oct 11 01:39:49 mail MailScanner[4184]: Virus Scanning: Found 3 viruses<br>
> > ><br>
> > > How do I debug this?<br>
> > ><br>
> > > Regards,<br>
> > > Nerijus<br>
<br>
<br>
<br>
-- <br>
MailScanner mailing list<br>
<a href="mailto:mailscanner@lists.mailscanner.info" target="_blank">mailscanner@lists.mailscanner.info</a><br>
<a href="http://lists.mailscanner.info/mailman/listinfo/mailscanner" rel="noreferrer" target="_blank">http://lists.mailscanner.info/mailman/listinfo/mailscanner</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr">Shawn Iverson, CETL<div>Director of Technology</div><div>Rush County Schools</div><div>765-932-3901 option 7</div><div><a href="mailto:iversons@rushville.k12.in.us" target="_blank">iversons@rushville.k12.in.us</a></div><div><br></div><div><img src="https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_cy1OZFNIZ0drYVU&revid=0Bw5iD0ToYvs_UitIcHVIWkJVVTl2VGpxVUE0d0FQcHBIRXk4PQ" width="96" height="96" style="font-size: 12.8px;"><img src="https://docs.google.com/uc?export=download&id=0Bw5iD0ToYvs_Zkh4eEs3R01yWXc&revid=0Bw5iD0ToYvs_QWpBK2Y2ajJtYjhOMDRFekZwK2xOamk5Q3Y0PQ" width="89" height="96"></div><div><img src="https://docs.google.com/uc?export=download&id=1aBrlQou4gjB04FY-twHN_0Dn3GHVNxqa&revid=0Bw5iD0ToYvs_RnQ0eDhHcm95WHBFdkNRbXhQRXpoYkR6SEEwPQ" style="font-size: 12.8px;"><br></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>