AMaViS - A Mail Virus Scanner / Discussion / amavis-user: amavisd, McAffee uvscan with/without --mime

Hi,

We're using amavisd 0.1 with postfix 20010228 on SuseLinux 7.0 and McAffee uvscan (engine 4.24).

If I try the unmodified amavisd-test daemon with make check I got the following output:

Jun 12 12:21:55 post amavisd-test[20333]: enter accept loop
Jun 12 12:21:55 post amavisd-test[20387]: forked off -- child running...
Jun 12 12:21:55 post amavisd-test[20387]: /tmp/amavis/amavis-XXJxjDxe: from=<root@post>, to=<root@post>
Jun 12 12:21:55 post amavisd-test[20387]: Extracting mime components
Jun 12 12:21:55 post amavisd-test[20387]: Level: 1, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 0
Jun 12 12:21:55 post amavisd-test[20387]: File-type of msg-20387-1.txt: ASCII text
Jun 12 12:21:55 post amavisd-test[20387]: msg-20387-1.txt is atomic
Jun 12 12:21:55 post amavisd-test[20387]: File-type of msg-20387-2.arc: ARC archive data, packed
Jun 12 12:21:55 post amavisd-test[20387]: Unarcing msg-20387-2.arc
Jun 12 12:21:55 post amavisd-test[20387]: Level: 2, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 1
Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00001: Zoo archive data, v2.10, modify: v2.0+, extract: v1.0+
Jun 12 12:21:55 post amavisd-test[20387]: Expanding ZOO archive part-00001
Jun 12 12:21:55 post amavisd-test[20387]: Level: 3, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 2
Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00002: LHarc 1.x archive data [lh0]
Jun 12 12:21:55 post amavisd-test[20387]: Expanding LHA archive part-00002
Jun 12 12:21:55 post amavisd-test[20387]: Level: 4, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 3
Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00003: ARJ archive data, v8, slash-switched, original name: TEST.ARJ, os: MS-DOS
Jun 12 12:21:55 post amavisd-test[20387]: Expanding ARJ archive part-00003
Jun 12 12:21:55 post amavisd-test[20387]: Level: 5, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 4
Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00004: RAR archive data
Jun 12 12:21:55 post amavisd-test[20387]: Expanding RAR archive part-00004
Jun 12 12:21:55 post amavisd-test[20387]: Level: 6, parts: 2
Jun 12 12:21:55 post amavisd-test[20387]: Archive nesting depth: 5
Jun 12 12:21:55 post amavisd-test[20387]: File-type of part-00005: \<headHTML document text
Jun 12 12:21:55 post amavisd-test[20387]: part-00005 is atomic
Jun 12 12:21:55 post amavisd-test[20387]: Using /usr/local/bin/uvscan
Jun 12 12:21:56 post amavisd-test[20387]: Scanning /tmp/amavis/amavis-XXJxjDxe/parts/*
Scanning file /tmp/amavis/amavis-XXJxjDxe/parts/msg-20387-1.txt
Scanning file /tmp/amavis/amavis-XXJxjDxe/parts/part-00005

Summary report on /tmp/amavis/amavis-XXJxjDxe/parts/*
File(s)
        Total files: ...........       2
        Clean: .................       2
        Possibly Infected: .....       0
Jun 12 12:21:56 post amavisd-test[20387]: Testing mode - no email sent. X-Virus-Scanned: by amavisd 0.1
Jun 12 12:21:56 post amavisd-test[20387]: do_exit:325 - ending execution with 0

If I add the --mime option for uvscan in the amavisd-test daemon I got the following output:

Jun 12 12:20:26 post amavisd-test[19998]: forked off -- child running...
Jun 12 12:20:26 post amavisd-test[19998]: /tmp/amavis/amavis-XXbbI2gm: from=<root@post>, to=<root@post>
Jun 12 12:20:26 post amavisd-test[19998]: Extracting mime components
Jun 12 12:20:26 post amavisd-test[19998]: Level: 1, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 0
Jun 12 12:20:26 post amavisd-test[19998]: File-type of msg-19998-1.txt: ASCII text
Jun 12 12:20:26 post amavisd-test[19998]: msg-19998-1.txt is atomic
Jun 12 12:20:26 post amavisd-test[19998]: File-type of msg-19998-2.arc: ARC archive data, packed
Jun 12 12:20:26 post amavisd-test[19998]: Unarcing msg-19998-2.arc
Jun 12 12:20:26 post amavisd-test[19998]: Level: 2, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 1
Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00001: Zoo archive data, v2.10, modify: v2.0+, extract: v1.0+
Jun 12 12:20:26 post amavisd-test[19998]: Expanding ZOO archive part-00001
Jun 12 12:20:26 post amavisd-test[19998]: Level: 3, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 2
Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00002: LHarc 1.x archive data [lh0]
Jun 12 12:20:26 post amavisd-test[19998]: Expanding LHA archive part-00002
Jun 12 12:20:26 post amavisd-test[19998]: Level: 4, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 3
Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00003: ARJ archive data, v8, slash-switched, original name: TEST.ARJ, os: MS-DOS
Jun 12 12:20:26 post amavisd-test[19998]: Expanding ARJ archive part-00003
Jun 12 12:20:26 post amavisd-test[19998]: Level: 5, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 4
Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00004: RAR archive data
Jun 12 12:20:26 post amavisd-test[19998]: Expanding RAR archive part-00004
Jun 12 12:20:26 post amavisd-test[19998]: Level: 6, parts: 2
Jun 12 12:20:26 post amavisd-test[19998]: Archive nesting depth: 5
Jun 12 12:20:26 post amavisd-test[19998]: File-type of part-00005: \<headHTML document text
Jun 12 12:20:26 post amavisd-test[19998]: part-00005 is atomic
Jun 12 12:20:26 post amavisd-test[19998]: Using /usr/local/bin/uvscan
Jun 12 12:20:27 post amavisd-test[19998]: Scanning /tmp/amavis/amavis-XXbbI2gm/parts/*
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/msg-19998-1.txt
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2
Scanning file /tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2/EICAR.COM
/tmp/amavis/amavis-XXbbI2gm/parts/part-00005/test3.tar.Z/test3.tar/test2.zip/TEST.TAR.GZ/test.tar/EICAR.COM.bz2/EICAR.COM
Found: EICAR test file NOT a virus.

Summary report on /tmp/amavis/amavis-XXbbI2gm/parts/*
File(s)
        Total files: ...........       9
        Clean: .................       8
        Possibly Infected: .....       1
Jun 12 12:20:27 post amavisd-test[19998]: do_exit:548 - ending execution with 0
Jun 12 12:20:27 post amavisd-test[19998]: socket shut down

Does that mean that uvscan doesn't recognize the eicar test file in the first case? Do I always have to supply --mime to uvscan? If so, I think it should be added to amavis and amavisd.

Any suggestions?

Bye, Oliver.

amavisd, McAffee uvscan with/without --mime

Forums

Help

amavisd, McAffee uvscan with/without --mime

amavisd, McAffee uvscan with/without --mime

Forums

Help

amavisd, McAffee uvscan with/without --mime document.SUBSCRIPTION_OPTIONS = { "thing": "topic", "subscribed": false, "url": "subscribe", "icon": { "css": "fa fa-envelope-o" } };

amavisd, McAffee uvscan with/without --mime