Integrate Eset File Security 8.0.375.0

Questions and answers about how to do stuff
Post Reply
Jakes
Posts: 5
Joined: 18 Feb 2020 11:58

Integrate Eset File Security 8.0.375.0

Post by Jakes »

Hi Everyone

I noticed clamav let thou a few viruses, I saw on the PC's Eset log the detections, so at least the virus was detected and deleted.
1st price would be that it is detected on EFA level.

I installed Eset File Security on EFA server, versions below: ( Eset changed again, so current integration does not work )
ESET Management Agent 8.0.2216.0 / ESET File Security 8.0.375.0

Product works very well except there is no integration, moment a virus in sent in via email the Realtime Scanner picks it up and delete the virus.

My idea was to exclude the path from Realtime scanner where EFA woks and setup the generic-wrapper (/usr/lib/MailScanner/wrapper/generic-wrapper)

Scan command is (https://help.eset.com/efs/8/en-US/scans.html)
/opt/eset/efs/bin/odscan --scan --profile="@In-depth scan" /path to scan/

Will the generic-wrapper use the Exit codes provided by odscan and send that true to the logs ?

Exit Code Meaning
0 No threat found
1 Threat found and cleaned
10 Some files could not be scanned (may be threats)
50 Threat found
100 Error

Has anyone tried and got this working

Thanks
Jakes
markov
Posts: 7
Joined: 12 Apr 2018 08:35

Re: Integrate Eset File Security 8.0.375.0

Post by markov »

Hi Jakes

I try but with no luck because I'm not programer ...

I also replay to reported issue by flagmonkey, but got no response ...
url: https://github.com/MailScanner/v5/issues/540

He looks like manage to work with new ESET antivirus for Linux server ...
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

I second this request.
Sophos Linux Free is end of life, will only last untill end 2021. ClamAV is simply not good enough.

I got EFS working. It works from the command line, but I can't get MailScanner to recognise it is installed...
MailScanner.conf says "Virus Scanners = esets sophos clamd"
Found these virus scanners installed: sophos, clamd

Code: Select all

/usr/lib/MailScanner/wrapper/esets-wrapper /opt/eset/efs/bin -s --profile='@In-depth scan' --ignore-exclusions /home/admin/eicar.txt
EFA 4.0.4
EFS 8.0.375.0
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

Answering my own post... Getting closer

MailScanner.conf says "Virus Scanners = esets sophos clamd" 0.00013
Found these virus scanners installed: sophos, esets, clamd 0.08471
=========================================================================== 2.0E-5
Filename Checks: Windows/DOS Executable (1 eicar.com) 0.02043
Other Checks: Found 1 problems 0.00906
Virus and Content Scanning: Starting 2.0E-5
Cannot lock /var/spool/MailScanner/incoming/Locks/esetsBusy.lock, No such file or directory at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 844. 0.00059
Invalid value of environment variable MODMAPDIR. Modules cannot be loaded. 0.01547

>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/12886/1/eicar.com 6.34806
Virus Scanning: Sophos found 1 infections 0.00023
Clamd::INFECTED:: {HEX}EICAR.TEST.3.UNOFFICIAL :: ./1/eicar.com 0.10546
Virus Scanning: Clamd found 2 infections 0.08923
Infected message 1 came from 10.1.1.1 6.0E-5
Virus Scanning: Found 3 viruses
Jakes
Posts: 5
Joined: 18 Feb 2020 11:58

Re: Integrate Eset File Security 8.0.375.0

Post by Jakes »

I see Shawn Iverson has posted a patch that will get the new Eset to work.

https://github.com/MailScanner/v5/pull/558

I'm not sure how to Install this patch, any suggestions please

Thanks !
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

I did it by hand...
Basically (assuming you have esets efs installed):

Add this line to /etc/MailScanner/virus.scanners.conf

Code: Select all

esetsefs		/usr/lib/MailScanner/wrapper/esetsefs-wrapper		/opt/eset/efs/bin
Create this file:
/usr/lib/MailScanner/wrapper/esetsefs-wrapper
And put this into it.
Make it exec:
sudo chmod +x /usr/lib/MailScanner/wrapper/esetsefs-wrapper

Edit the file /etc/MailScanner/virus.scanners.conf As described here

Add these to /etc/sudoers.d/eFa-users (need to be root)

Code: Select all

postfix ALL=(ALL) NOPASSWD: /opt/eset/efs/bin/odscan
postfix ALL=(ALL) NOPASSWD: /opt/eset/efs/bin/lslog
Add esetsefs to /etc/MailScanner/MailScanner.conf

Code: Select all

Virus Scanners = sophos clamd esetsefs
Run
MailScanner --lint
MailScanner.conf says "Virus Scanners = sophos clamd esetsefs"
Found these virus scanners installed: esetsefs, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/17967/1/eicar.com
Virus Scanning: Sophos found 1 infections
Clamd::INFECTED:: {HEX}EICAR.TEST.3.UNOFFICIAL :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Esets::INFECTED::Eicar

Virus Scanning: esetsefs found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 4 viruses
===========================================================================
Virus Scanner test reports:
Sophos said ">>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/17967/1/eicar.com"
Clamd said "eicar.com was infected: {HEX}EICAR.TEST.3.UNOFFICIAL"
Esets said "found Eicar in eicar.com"
If no errors, restart mailscanner
sudo service mailscanner restart
musabr187
Posts: 20
Joined: 24 Sep 2018 06:02

Re: Integrate Eset File Security 8.0.375.0

Post by musabr187 »

Hi,

Could you please check the below issue –
MailScanner --lint

Cannot lock /var/spool/MailScanner/incoming/Locks/esetsefsBusy.lock, No such file or directory at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 866.

I have follow the above configuration which you mentioned but unable to run the EFS 8.1.685.0 on EFA-4.
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

What is in there?

Code: Select all

ls -l /var/spool/MailScanner/incoming/Locks/
-rw------- 1 postfix postfix 52 Nov 9 13:49 esetsefsBusy.lock
Did you edit sudoers?
Add these to /etc/sudoers.d/eFa-users (need to be root)

Code: Select all

postfix ALL=(ALL) NOPASSWD: /opt/eset/efs/bin/odscan
postfix ALL=(ALL) NOPASSWD: /opt/eset/efs/bin/lslog
musabr187
Posts: 20
Joined: 24 Sep 2018 06:02

Re: Integrate Eset File Security 8.0.375.0

Post by musabr187 »

There is no esetsefsBusy.lock file in following path –

Code: Select all

ls -l /var/spool/MailScanner/incoming/Locks/
I have added the mentioned lines in sudoers. Would you please share the installation steps of EFS ?
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

https://github.com/MailScanner/v5/issues/383

You can try (as root)

Code: Select all

touch /var/spool/MailScanner/incoming/Locks/esetsefsBusy.lock
chown postfix:postfix /var/spool/MailScanner/incoming/Locks/esetsefsBusy.lock
musabr187
Posts: 20
Joined: 24 Sep 2018 06:02

Re: Integrate Eset File Security 8.0.375.0

Post by musabr187 »

MailScanner --lint

Code: Select all

MailScanner.conf says "Virus Scanners = clamd sophos esetsefs"
Found these virus scanners installed: esetsefs, sophos, clamd
===========================================================================
Virus and Content Scanning: Starting
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./1/
Virus Scanning: Clamd found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================
If any of your virus scanners (esetsefs,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
EFS lock file issue is resolved. Sophos was working with Maliscanner but after installing EFS its not showing on virus scanning.
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

I just repeated all my steps on a fresh EFA.
It works
Virus Scanner test reports:
Esets said "found Eicar in eicar.com"
Sophos said ">>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/84075/1/eicar.com"
Clamd said "eicar.com was infected: {HEX}EICAR.TEST.3.UNOFFICIAL"
I noticed 1 error in my steps

"Edit the file /etc/MailScanner/virus.scanners.conf" As described here
should be
"Edit the file /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm"
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

Sophos Linux is now retired.
A few additional things about EFS on EFA...
  • In order for EFS to function (postfix in sudoers), selinux needs to be set to "permissive", or disabled altogether
  • EFS needs to be activated with a valid license, or it wil not show up in MailScanner --lint. It does show itself in it's own logs though
  • The latest version of EFA (4.0.4) has support for EFS built in, except the wrapper is missing (/usr/lib/MailScanner/wrapper/esetsefs-wrapper)
Tested and working on Rocky Linux 8.5
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Integrate Eset File Security 8.0.375.0

Post by shawniverson »

I'll be fixing the missing wrapper in the next update
hostgrup
Posts: 3
Joined: 28 May 2021 10:25

Re: Integrate Eset File Security 8.0.375.0

Post by hostgrup »

Hi;

fixing the missing wrapper in the next update waiting good antivirus esetefs
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

Another one to fix :)
Detetection by EFS don't show up in Top Viruses / Virus report.

Patrick
User avatar
shawniverson
Posts: 3640
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Integrate Eset File Security 8.0.375.0

Post by shawniverson »

Thanks I need to push another MailWatch update, to get ESETS EFS to be recognized in the reports. I'll add this to my todo.
mendark
Posts: 24
Joined: 03 Dec 2021 10:10

Re: Integrate Eset File Security 8.0.375.0

Post by mendark »

Hello,
I've install ESET v 9.0.174.0, i have a valid trial license, i create esetsefsBusy.lock file, but when i run this command: MailScanner --lint i have this output:
MailScanner.conf says "Virus Scanners = clamd esetsefs"
Found these virus scanners installed: esetsefs, clamd
===========================================================================
Virus and Content Scanning: Starting
Clamd::INFECTED::{HEX}EICAR.TEST.3.UNOFFICIAL :: ./1/
Virus Scanning: Clamd found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================

I didn't see where in eset found virus or something else.

Can you help with this issue?

Thanq
markov
Posts: 7
Joined: 12 Apr 2018 08:35

Re: Integrate Eset File Security 8.0.375.0

Post by markov »

I have the exact same problem ...
I see in ESET WebGUI that virus was actually found and deleted

I also found that if start MailScanner Lint (Test) from webgui that found is only clamd, but if it is started from console found both clamd and esetsefs
Trikke
Posts: 15
Joined: 13 Jul 2018 12:33

Re: Integrate Eset File Security 8.0.375.0

Post by Trikke »

Just a thought...
Did you disable "real time scanning" in EFS?
Or maybe a trial license is not enough for on demand scanning.
mendark
Posts: 24
Joined: 03 Dec 2021 10:10

Re: Integrate Eset File Security 8.0.375.0

Post by mendark »

No, all module is enable.
Now it's working, and mailscanner report when detect an virus.
You can "find" license on internet :D
Post Reply