amavisd, McAffee uvscan with/without --mime

2003-06-12
2003-06-12
  • Oliver Rutsch
    Oliver Rutsch
    2003-06-12

    Hi,

    We're using amavisd 0.1 with postfix 20010228 on SuseLinux 7.0 and McAffee uvscan (engine 4.24).

    If I try the unmodified amavisd-test daemon with make check I got the following output:

    Jun 12 12:21:55 post amavisd-test[20333]: enter accept loop
    Jun 12 12:21:55 post amavisd-test[20387]: forked off -- child running...
    Jun 12 12:21:55 post amavisd-test[20387]: /tmp/amavis/amavis-XXJxjDxe: from=<root@post>, to=<root@post>
    Jun 12 12:21:55 post amavisd-test[20387]: Extracting mime components
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 1, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 0
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of msg-20387-1.txt: ASCII text
    Jun 12 12:21:55 post amavisd-test[20387]: msg-20387-1.txt is atomic
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of msg-20387-2.arc: ARC archive data, packed
    Jun 12 12:21:55 post amavisd-test[20387]: Unarcing msg-20387-2.arc
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 2, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 1
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00001: Zoo archive data, v2.10, modify: v2.0+, extract: v1.0+
    Jun 12 12:21:55 post amavisd-test[20387]: Expanding ZOO archive part-00001
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 3, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 2
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00002: LHarc 1.x archive data [lh0]
    Jun 12 12:21:55 post amavisd-test[20387]: Expanding LHA archive part-00002
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 4, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 3
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00003: ARJ archive data, v8, slash-switched, original name: TEST.ARJ, os: MS-DOS
    Jun 12 12:21:55 post amavisd-test[20387]: Expanding ARJ archive part-00003
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 5, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 4
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00004: RAR archive data
    Jun 12 12:21:55 post amavisd-test[20387]: Expanding RAR archive part-00004
    Jun 12 12:21:55 post amavisd-test[20387]: Level: 6, parts: 2
    Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 5
    Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00005: \&lt;headHTML document text
    Jun 12 12:21:55 post amavisd-test[20387]: part-00005 is atomic
    Jun 12 12:21:55 post amavisd-test[20387]: Using /usr/local/bin/uvscan
    Jun 12 12:21:56 post amavisd-test[20387]: Scanning /tmp/amavis/amavis-XXJxjDxe/parts/*
    Scanning file /tmp/amavis/amavis-XXJxjDxe/parts/msg-20387-1.txt
    Scanning file /tmp/amavis/amavis-XXJxjDxe/parts/part-00005

    Summary report on /tmp/amavis/amavis-XXJxjDxe/parts/*
    File(s)
            Total files: ...........       2
            Clean: .................       2
            Possibly Infected: .....       0
    Jun 12 12:21:56 post amavisd-test[20387]: Testing mode - no email sent. X-Virus-Scanned: by amavisd 0.1
    Jun 12 12:21:56 post amavisd-test[20387]: do_exit:325 - ending execution with 0

    If I add the --mime option for uvscan in the amavisd-test daemon I got the following output:

    Jun 12 12:20:26 post amavisd-test[19998]: forked off -- child running...
    Jun 12 12:20:26 post amavisd-test[19998]: /tmp/amavis/amavis-XXbbI2gm: from=<root@post>, to=<root@post>
    Jun 12 12:20:26 post amavisd-test[19998]: Extracting mime components
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 1, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 0
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of msg-19998-1.txt: ASCII text
    Jun 12 12:20:26 post amavisd-test[19998]: msg-19998-1.txt is atomic
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of msg-19998-2.arc: ARC archive data, packed
    Jun 12 12:20:26 post amavisd-test[19998]: Unarcing msg-19998-2.arc
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 2, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 1
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00001: Zoo archive data, v2.10, modify: v2.0+, extract: v1.0+
    Jun 12 12:20:26 post amavisd-test[19998]: Expanding ZOO archive part-00001
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 3, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 2
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00002: LHarc 1.x archive data [lh0]
    Jun 12 12:20:26 post amavisd-test[19998]: Expanding LHA archive part-00002
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 4, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 3
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00003: ARJ archive data, v8, slash-switched, original name: TEST.ARJ, os: MS-DOS
    Jun 12 12:20:26 post amavisd-test[19998]: Expanding ARJ archive part-00003
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 5, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 4
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00004: RAR archive data
    Jun 12 12:20:26 post amavisd-test[19998]: Expanding RAR archive part-00004
    Jun 12 12:20:26 post amavisd-test[19998]: Level: 6, parts: 2
    Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 5
    Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00005: \&lt;headHTML document text
    Jun 12 12:20:26 post amavisd-test[19998]: part-00005 is atomic
    Jun 12 12:20:26 post amavisd-test[19998]: Using /usr/local/bin/uvscan
    Jun 12 12:20:27 post amavisd-test[19998]: Scanning /tmp/amavis/amavis-XXbbI2gm/parts/*
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/msg-19998-1.txt
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2
    Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2/EICAR.COM
    /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2/EICAR.COM
            Found: EICAR test file NOT a virus.

    Summary report on /tmp/amavis/amavis-XXbbI2gm/parts/*
    File(s)
            Total files: ...........       9
            Clean: .................       8
            Possibly Infected: .....       1
    Jun 12 12:20:27 post amavisd-test[19998]: do_exit:548 - ending execution with 0
    Jun 12 12:20:27 post amavisd-test[19998]: socket shut down

    Does that mean that uvscan doesn't recognize the eicar test file in the first case? Do I always have to supply --mime to uvscan? If so, I think it should be added to amavis and amavisd.

    Any suggestions?

    Bye, Oliver.