Discussion:
Mailscanner / Sophos does not block viruses
ci
2013-11-07 11:45:04 UTC
Permalink
Hello,

we are running Mailscanner with Sophos Antivirus as virus scanner.
So far it's working, but Mailscanner does not block the attachment.
I made sure that sophos-wrapper is executed by Mailscanner. The
resulting sophos command line scans and detects files in the spool
directory and delivers exit status > 0.

Mailscanner notices that the mail is infected. The admin gets
information mail from Mailscanner:

------------------------------------------------------------------------
Subject: [SAV-LINUX] Threat detected during on-demand scan on <mailserver>
To: admin at domain.tld

A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is infected
with EICAR-AV-Test.
------------------------------------------------------------------------

The mail reaches the receiptient *with* eicar still attached.

What's going wrong here?


Greetings,
--
R. Cirksena <ci at holmco.de>
Arjan Melein
2013-11-07 12:33:10 UTC
Permalink
Check the config if it says:

Deliver Disinfected Files = no
Still Deliver Silent Viruses = no

That's pretty much all I can come up with right now.

-
Arjan
Post by ci
Hello,
we are running Mailscanner with Sophos Antivirus as virus scanner.
So far it's working, but Mailscanner does not block the attachment.
I made sure that sophos-wrapper is executed by Mailscanner. The
resulting sophos command line scans and detects files in the spool
directory and delivers exit status > 0.
Mailscanner notices that the mail is infected. The admin gets
------------------------------------------------------------------------
Subject: [SAV-LINUX] Threat detected during on-demand scan on <mailserver>
To: admin at domain.tld
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is infected
with EICAR-AV-Test.
------------------------------------------------------------------------
The mail reaches the receiptient *with* eicar still attached.
What's going wrong here?
Greetings,
--
R. Cirksena <ci at holmco.de>
ci
2013-11-07 13:37:38 UTC
Permalink
Post by Arjan Melein
Deliver Disinfected Files = no
Still Deliver Silent Viruses = no
Thank you, but that's already set to "no".


Greetings,
--
R. Cirksena <ci at holmco.de>
Jerry Benton
2013-11-07 12:39:47 UTC
Permalink
Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf
Post by ci
Hello,
we are running Mailscanner with Sophos Antivirus as virus scanner.
So far it's working, but Mailscanner does not block the attachment.
I made sure that sophos-wrapper is executed by Mailscanner. The
resulting sophos command line scans and detects files in the spool
directory and delivers exit status > 0.
Mailscanner notices that the mail is infected. The admin gets
------------------------------------------------------------------------
Subject: [SAV-LINUX] Threat detected during on-demand scan on <mailserver>
To: admin at domain.tld
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/10458/1VeN1P-0002nK-8i/neicar.txt is infected
with EICAR-AV-Test.
------------------------------------------------------------------------
The mail reaches the receiptient *with* eicar still attached.
What's going wrong here?
Greetings,
--
R. Cirksena <ci at holmco.de>
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
--
--
Jerry Benton
Mailborder Systems
www.mailborder.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20131107/d947a287/attachment.html
ci
2013-11-07 13:38:50 UTC
Permalink
Post by Jerry Benton
Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf
Setting is:

Quarantine Infections = yes

Seems to be o.k.


Greetings,
--
R. Cirksena <ci at holmco.de>
Mark Sapiro
2013-11-08 02:00:31 UTC
Permalink
Post by ci
Post by Jerry Benton
Check: Quarantine Infections in /etc/MailScanner/MailScanner.conf
Quarantine Infections = yes
Seems to be o.k.
Have you also checked all the included files in /etc/MailScanner/conf.d/?

What does 'MailScanner --lint' report?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
ci
2013-11-08 06:44:21 UTC
Permalink
Post by Mark Sapiro
Have you also checked all the included files in /etc/MailScanner/conf.d/?
The directory is empty. Mailscanner ist set up to use a monolithic
configuration file.
Post by Mark Sapiro
What does 'MailScanner --lint' report?
------------------------------------------------------------------------
Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Read 858 hostnames from the phishing whitelist
Read 5500 hostnames from the phishing blacklists

Checking version numbers...
Version number in MailScanner.conf (4.79.11) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to (102)
MailScanner setting UID to (100)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
bayes: cannot write to /var/lib/MailScanner/bayes_journal, bayes db
update ignored: Permission denied
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 30 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = sophos"
Found these virus scanners installed: clamav, sophos
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
===========================================================================

If any of your virus scanners (clamav,sophos)
are not listed there, you should check that they are installed
correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.
------------------------------------------------------------------------

Looks good so far (?).


Greetings,
--
R. Cirksena
Mark Sapiro
2013-11-08 16:06:47 UTC
Permalink
Post by ci
Post by Mark Sapiro
What does 'MailScanner --lint' report?
Checking version numbers...
Version number in MailScanner.conf (4.79.11) is correct.
Current version is 4.84.6. 4.79.11 is almost 4 years old. There's
nothing specific about this issue at
<http://www.mailscanner.info/ChangeLog>, but upgrading may help.
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
ci
2013-11-11 09:01:23 UTC
Permalink
Post by Mark Sapiro
Current version is 4.84.6. 4.79.11 is almost 4 years old. There's
nothing specific about this issue at
<http://www.mailscanner.info/ChangeLog>, but upgrading may help.
It's the latest stabile version for Debian (as linked from
mailscanner.info). Debian is the distribution we use for our mail
server. I hope that critical updates have been backported to the
Debian package.

Here are a few log entries of my eicar test mail:

mail.log:

Nov 11 09:49:02 mail MailScanner[27197]: New Batch: Scanning 1 messages, 1281 bytes
Nov 11 09:49:02 mail MailScanner[27197]: Virus and Content Scanning: Starting
Nov 11 09:49:09 mail MailScanner[27197]: Delivery of nonspam: message 1VfnB6-00076E-DC from ci at holmco.de to ci at holmco.de with subject eicar
Nov 11 09:49:09 mail MailScanner[27197]: Uninfected: Delivered 1 messages
Nov 11 09:49:09 mail MailScanner[27197]: Deleted 1 messages from processing-database

exim mainlog:

2013-11-11 09:49:00 1VfnB6-00076E-DC <= ci at holmco.de H=(xxx.domain.tld) [IP] P=esmtp S=907 id=20131111084900.GB19422 at xxx.domain.tld T="eicar" from <ci at holmco.de> for ci at holmco.de
2013-11-11 09:49:10 1VfnB6-00076E-DC => ci <ci at holmco.de> F=<ci at holmco.de> R=procmail T=procmail_pipe S=1351 QT=10s DT=1s
2013-11-11 09:49:10 1VfnB6-00076E-DC Completed QT=10s


Sophos mails the administrator that it has detected a virus:
------------------------------------------------------------------------
A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/27197/1VfnB6-00076E-DC/neicar.txt is infected with EICAR-AV-Test.
------------------------------------------------------------------------

But mailscanner delivers the mail stating it's "uninfected".
What is going wrong?


Greetings,
--
R. Cirksena
Antony Stone
2013-11-11 09:54:08 UTC
Permalink
Post by Mark Sapiro
Current version is 4.84.6. 4.79.11 is almost 4 years old. There's
nothing specific about this issue at
<http://www.mailscanner.info/ChangeLog>, but upgrading may help.
It's the latest stable version for Debian (as linked from
mailscanner.info). Debian is the distribution we use for our mail
server. I hope that critical updates have been backported to the
Debian package.
According to http://packages.debian.org/search?keywords=mailscanner there is
no mailscanner package for the current Debian stable release (wheezy).

Version 4.79.11 is for Oldstable (squeeze), and is therefore not only an old
version of Mailscanner, but also for an old version of Debian.

The Debian package maintainer appears to be simon.walter at hp-factory.de - you
might want to ask him about plans for a release for Debian stable, and/or
whether critical updates get backported.


Regards,


Antony.
--
There's no such thing as bad weather - only the wrong clothes.

- Billy Connolly

Please reply to the list;
please don't CC me.
Mark Sapiro
2013-11-11 18:04:19 UTC
Permalink
Post by ci
Post by Mark Sapiro
What does 'MailScanner --lint' report?
...
Post by ci
MailScanner.conf says "Virus Scanners = sophos"
Found these virus scanners installed: clamav, sophos
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
===========================================================================
If any of your virus scanners (clamav,sophos)
are not listed there, you should check that they are installed
correctly
and that MailScanner is finding them correctly via its
virus.scanners.conf.
------------------------------------------------------------------------
Looks good so far (?).
Actually not. The above should look like (with sophos instead of Clamd)

===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners ...

It seems from your other posts that sophos is being properly invoked and
detects the infection as it mails the admin about it, but the detection
is not being picked up by MailScanner.

What do you have in the "Options specific to Sophos Anti-Virus" section
of MailScanner.conf? In particular,

Allowed Sophos Error Messages =
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
ci
2013-11-12 07:33:22 UTC
Permalink
[output of MailScanner --lint]
Actually not. The above should look like (with sophos instead of Clamd)
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners ...
It seems from your other posts that sophos is being properly invoked and
detects the infection as it mails the admin about it, but the detection
is not being picked up by MailScanner.
What do you have in the "Options specific to Sophos Anti-Virus" section
of MailScanner.conf? In particular,
Allowed Sophos Error Messages =
It is:
Allowed Sophos Error Messages =

(no value)


Greetings,
--
R. Cirksena
ci
2013-11-14 09:08:09 UTC
Permalink
Post by Mark Sapiro
Actually not. The above should look like (with sophos instead of Clamd)
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Clamd said "eicar.com was infected: Eicar-Test-Signature"
If any of your virus scanners ...
It seems from your other posts that sophos is being properly invoked and
detects the infection as it mails the admin about it, but the detection
is not being picked up by MailScanner.
What do you have in the "Options specific to Sophos Anti-Virus" section
of MailScanner.conf? In particular,
Allowed Sophos Error Messages =
I installed and activated clamav to see if it is an issue with
Mailscanner itself or with calling the virus scanner. In short:
clamav works, the attachment (eicar) has been removed from the
"infected" mail:

Part of MailScanner --lint:
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
./1/eicar.com: Eicar-Test-Signature FOUND

Virus Scanning: ClamAV found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================

mail.log:
------------------------------------------------------------------------
Nov 14 09:50:40 mail MailScanner[22738]: Virus and Content Scanning: Starting
Nov 14 09:50:54 mail MailScanner[22725]: ./1Vgsd5-0006tl-Ja/eicar.txt: Eicar-Test-Signature FOUND
Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: ClamAV found 1 infections
Nov 14 09:50:54 mail MailScanner[22725]: Infected message 1Vgsd5-0006tl-Ja came from xxx.xxx.xxx.xxx
Nov 14 09:50:54 mail MailScanner[22725]: Virus Scanning: Found 1 viruses
Nov 14 09:50:54 mail MailScanner[22725]: Saved entire message to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja
Nov 14 09:50:55 mail MailScanner[22725]: Saved infected "eicar.txt" to /var/spool/MailScanner/quarantine/20131114/1Vgsd5-0006tl-Ja
Nov 14 09:50:55 mail MailScanner[22725]: Delivery of nonspam: message 1Vgsd5-0006tl-Ja from ci at holmco.de to ci at holmco.de with subject eicar
Nov 14 09:50:55 mail MailScanner[22725]: Cleaned: Delivered 1 cleaned messages
Nov 14 09:50:55 mail MailScanner[22725]: Notices: Warned about 1 messages
Nov 14 09:50:55 mail MailScanner[22725]: Deleted 1 messages from processing-database
------------------------------------------------------------------------

I hope its o.k. that just clamav scans the mail? Is it correct that,
as clamav did remove the attachment, sophos does not see the
infection?

What can I do to get Mailscanner working with sophos?


Greetings,
--
R. Cirksena
Mark Sapiro
2013-11-15 01:47:04 UTC
Permalink
Post by ci
I hope its o.k. that just clamav scans the mail? Is it correct that,
as clamav did remove the attachment, sophos does not see the
infection?
Based on what you've previously posted, MailScanner invoked sophos and
sophos saw the infection. We know this because sophos emailed the admin
about the infection.

The problem is MailScanner is not getting or recognizing the report from
sophos.
Post by ci
What can I do to get Mailscanner working with sophos?
MailScanner looks for various specific patterns on the output from
sophos. See sub ProcessSophosOutput at about line 1764 in
/usr/lib/MailScanner/MailScanner/SweepViruses.pm


What version of sophos do you have?
What output do you get if you manually run sophos on an infected file?
--
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
ci
2013-11-15 07:44:54 UTC
Permalink
Post by Mark Sapiro
Based on what you've previously posted, MailScanner invoked sophos and
sophos saw the infection. We know this because sophos emailed the admin
about the infection.
The problem is MailScanner is not getting or recognizing the report from
sophos.
Yes.
Post by Mark Sapiro
MailScanner looks for various specific patterns on the output from
sophos. See sub ProcessSophosOutput at about line 1764 in
/usr/lib/MailScanner/MailScanner/SweepViruses.pm
That is part of the solution. Someone (not me!) set locale to German.
I corrected that now.
To be sure I added "export LC_ALL=en_GB" at the beginning of
/etc/MailScanner/wrapper/sophos-wrapper.
Post by Mark Sapiro
What version of sophos do you have?
Product version : 4.94.0
Engine version : 3.48.0
Virus data version : 4.95
User interface version : 2.03.048
Platform : Linux/Intel
Released : 13 November 2013
Total viruses (with IDEs) : 5980697
Post by Mark Sapiro
What output do you get if you manually run sophos on an infected file?
from "savscan eicar.txt":

(...long list of .ide...)
Verwende IDE Datei age-aess.ide
Verwende IDE Datei age-aest.ide
Verwende IDE Datei vb-gwy.ide

Normale ?berpr?fung
Post by Mark Sapiro
Virus 'EICAR-AV-Test' gefunden in Datei /usr/local/src/eicar.txt
1 Datei ?berpr?ft in 6 Sekunden.
1 Virus wurde gefunden.
1 Datei von 1 war infiziert.
Wenn Sie weitere Unterst?tzung zu Erkennungen ben?tigen, rufen Sie bitte unser
Threat Center unter http://www.sophos.com/de-de/threat-center.aspx auf.
Ende von Scan.

After changing locale (see above) it is:

(...long list of .ide...)
Using IDE file age-aesq.ide
Using IDE file age-aess.ide
Using IDE file age-aest.ide
Using IDE file vb-gwy.ide

Quick Scanning
Post by Mark Sapiro
Virus 'EICAR-AV-Test' found in file eicar.txt
1 file scanned in 6 seconds.
1 virus was discovered.
1 file out of 1 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: http://www.sophos.com/en-us/threat-center.aspx
End of Scan.

Seems that the problem is solved. Thank you and greetings from Berlin
to San Francisco.
--
R. Cirksena
ci
2013-11-15 09:16:35 UTC
Permalink
Post by ci
That is part of the solution. Someone (not me!) set locale to German.
I corrected that now.
To be sure I added "export LC_ALL=en_GB" at the beginning of
/etc/MailScanner/wrapper/sophos-wrapper.
It seems to be necessary to nail locale to en_GB in the wrapper
script.


Greetings,
--
R. Cirksena
Loading...