Sophos AV does no more work !
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Sophos AV does no more work !
Hi,
I found that mailscanner doesn no more catch sophos virus, this in an existing installation and also in a fresh install
Here maillog of a working message :
2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus 'Mal/DrodAce-A' found in file ./27176108233.AC1B9/201283765ref20181203_xls.ace
2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: Sophos found 1 infections
2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message 27176108233.AC1B9 came from 82.193.37.22
2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: Found 1 viruses
Here maillog of a non working message :
2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus 'Mal/DrodAce-A' found in file /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace
2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: Sophos found 1 infections
2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message var came from
2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: Found 1 viruses
NOTE Infected message “var” instead real file name !!!
This is newest installed version
[root@EFA41 sbin]# sweep --version
SAVScan virus detection utility
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 05:01:58 PM, System date 31 December 2018
Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
I found that mailscanner doesn no more catch sophos virus, this in an existing installation and also in a fresh install
Here maillog of a working message :
2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus 'Mal/DrodAce-A' found in file ./27176108233.AC1B9/201283765ref20181203_xls.ace
2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: Sophos found 1 infections
2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message 27176108233.AC1B9 came from 82.193.37.22
2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: Found 1 viruses
Here maillog of a non working message :
2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus 'Mal/DrodAce-A' found in file /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace
2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: Sophos found 1 infections
2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message var came from
2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: Found 1 viruses
NOTE Infected message “var” instead real file name !!!
This is newest installed version
[root@EFA41 sbin]# sweep --version
SAVScan virus detection utility
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 05:01:58 PM, System date 31 December 2018
Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
Re: Sophos AV does no more work !
Something changed within Sophos. Mailscanner Lint shows a non-existing path :/var/pool/MailScanner/
Due the lack of virusmails I do not know how to check, besides the MailScanner lint check, but quite sure its related to the non-existing path
and different file name neicar.com versus eicar.com
On the todo list for next year
Old working version 20 Nov 2018
[root@xx var]#
Trying to setlogsock(unix)
blabla..
Version number in MailScanner.conf (5.0.7) is correct.
Your envelope_sender_header in spamassassin.conf is correct.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<new version>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[root@xx var]#
Trying to setlogsock(unix)
blabla..
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/11141/1/neicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Infected message var came from
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Check log
[root@xx ~]#
2018-12-31 18:07:30: log.threat Threat detected in /var/spool/MailScanner/incoming/11141/1/neicar.com: EICAR-AV-Test during on-demand scan. (The file is still infected.)
[root@xx var]#
SAVScan virus detection utility
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 07:08:24 PM, System date 31 December 2018
Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
Due the lack of virusmails I do not know how to check, besides the MailScanner lint check, but quite sure its related to the non-existing path
and different file name neicar.com versus eicar.com
On the todo list for next year
Old working version 20 Nov 2018
[root@xx var]#
Code: Select all
MailScanner --lint --debug
blabla..
Version number in MailScanner.conf (5.0.7) is correct.
Your envelope_sender_header in spamassassin.conf is correct.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<new version>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[root@xx var]#
Code: Select all
MailScanner --lint --debug
blabla..
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/11141/1/neicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Infected message var came from
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Check log
[root@xx ~]#
Code: Select all
/opt/sophos-av/bin/savlog --today --utc |grep Threat
[root@xx var]#
Code: Select all
sweep --version
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 07:08:24 PM, System date 31 December 2018
Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: Sophos AV does no more work !
Yes, but if you invoke a scan with new sophos output is correct (spool and not pool)
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Also avg doesnt work
Hi henk
Also AVG have (same) problem
Install so :
yum install glibc.i686
wget http://download.avgfree.com/filedir/ins ... 6.i386.rpm
rpm -i avg2013flx-r3118-a6926.i386.rpm
vi /etc/MailScanner/virus.scanners.conf
avg /usr/lib/MailScanner/wrapper/avg-wrapper /usr <<<<<<< this little change
First MailScanner --lint WORKS OK
=============================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in eicar.com
Virus Scanning: Avg found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================
Virus Scanner test reports:
Avg said "Found virus EICAR_Test in file eicar.com"
If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Then make an avgupdate and
Then MailScanner --lint KO
=======================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in neicar.com
Virus Scanning: Avg found 1 infections
Virus Scanning: Found 1 viruses
===========================================================================
If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Note the difference "Avg: Virus identified EICAR_Test in eicar.com" and "Avg: Virus identified EICAR_Test in >>>n<<<eicar.com"
neicar is same problem of sophos
Also AVG have (same) problem
Install so :
yum install glibc.i686
wget http://download.avgfree.com/filedir/ins ... 6.i386.rpm
rpm -i avg2013flx-r3118-a6926.i386.rpm
vi /etc/MailScanner/virus.scanners.conf
avg /usr/lib/MailScanner/wrapper/avg-wrapper /usr <<<<<<< this little change
First MailScanner --lint WORKS OK
=============================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in eicar.com
Virus Scanning: Avg found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================
Virus Scanner test reports:
Avg said "Found virus EICAR_Test in file eicar.com"
If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Then make an avgupdate and
Then MailScanner --lint KO
=======================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in neicar.com
Virus Scanning: Avg found 1 infections
Virus Scanning: Found 1 viruses
===========================================================================
If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Note the difference "Avg: Virus identified EICAR_Test in eicar.com" and "Avg: Virus identified EICAR_Test in >>>n<<<eicar.com"
neicar is same problem of sophos
Re: Sophos AV does no more work !
Hi Nicola,
I would like to know if there a members with additional scanners ( besides Sophos and AVG) having the same issue.
As clamav is still working, there is no need to panic, but we need to solve this a.s.a.p.
Would Shawn like to comment on this?
Running on Linux 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS release 6.10 (Final)
This is Perl version 5.010001 (5.10.1)
This is MailScanner version 5.0.7
Check:
As I miss the skills to determan the cause, a simple check on the mailscanner scripts somewhat reveals the special handling for Eicar tests:
Each scanner is handled separately:
SweepViruses.pm:1398: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.com
SweepViruses.pm:1399: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.doc
SweepViruses.pm:1400: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar/eicar.com
SweepViruses.pm:1401: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.doc
SweepViruses.pm:1402: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.com
SweepViruses.pm:1403: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.zip/eicar.com
SweepViruses.pm:1500: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR_Test_File [F-Prot]
SweepViruses.pm:1501: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1504: #./eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1505: #./eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1506: #./eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1507: #./eicar.doc: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1508: #./eicar.doc: Infected: EICAR Test File [Orion]
SweepViruses.pm:1509: #./eicar.doc: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1510: #[./eicar.zip] eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1511: #[./eicar.zip] eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1512: #[./eicar.zip] eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1620: #(Real infected archive: /var/spool/MailScanner/incoming/19746/./i75EFmSZ014248/eicar.rar)
SweepViruses.pm:1743: #./1B978O-0000g2-Iq/eicar.com Virus identified EICAR_Test (+2)
SweepViruses.pm:1744: #./1B978O-0000g2-Iq/eicar.zip:\eicar.com Virus identified EICAR_Test (+2)
Message.pm:4595: # contained a virus (e.g. the text of EICAR) without any proper
MessageBatch.pm:79: # Fake a batch containing the Eicar message
MessageBatch.pm:81: $this->CreateEicarBatch();
MessageBatch.pm:1200:sub CreateEicarBatch {
MessageBatch.pm:1203: #print STDERR "Creating EICAR batch\n";
MessageBatch.pm:1232: 'Content-Type: application/octet-stream; name="eicar.com"',
MessageBatch.pm'Content-Disposition: attachment; filename="eicar.com"'
MessageBatch.pm:1248: # This is a Base64-encoded, then ROT13-encoded copy of the EICAR test string.
MessageBatch.pm:1250: my $eicarstring = "JQICVINyDRSDJmEpHScLAGDbHS4cA0AQXGq9WRIWD0SFYIAHDH5RDIWRYHSBIRyJFIWIHl1HEIAH\nYHMWGRHuWRteFPb=\n";
MessageBatch.pm:1251: $eicarstring =~ tr[a-zA-Z][n-za-mN-ZA-M]; # Undo ROT13 encoding
MessageBatch.pm:1252: print $fh $eicarstring;
ConfigDefs.pl:668:NoisyViruses Joke/ OF97/ WM97/ W97M/ eicar
I would like to know if there a members with additional scanners ( besides Sophos and AVG) having the same issue.
As clamav is still working, there is no need to panic, but we need to solve this a.s.a.p.
Would Shawn like to comment on this?
Code: Select all
MailScanner --version
This is CentOS release 6.10 (Final)
This is Perl version 5.010001 (5.10.1)
This is MailScanner version 5.0.7
Check:
Code: Select all
MailScanner --lint --debug
Each scanner is handled separately:
Code: Select all
grep -irHn 'EICAR' /usr/lib/MailScanner/MailScanner/perl/MailScanner
SweepViruses.pm:1399: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.doc
SweepViruses.pm:1400: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar/eicar.com
SweepViruses.pm:1401: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.doc
SweepViruses.pm:1402: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.com
SweepViruses.pm:1403: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.zip/eicar.com
SweepViruses.pm:1500: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR_Test_File [F-Prot]
SweepViruses.pm:1501: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1504: #./eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1505: #./eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1506: #./eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1507: #./eicar.doc: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1508: #./eicar.doc: Infected: EICAR Test File [Orion]
SweepViruses.pm:1509: #./eicar.doc: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1510: #[./eicar.zip] eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1511: #[./eicar.zip] eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1512: #[./eicar.zip] eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1620: #(Real infected archive: /var/spool/MailScanner/incoming/19746/./i75EFmSZ014248/eicar.rar)
SweepViruses.pm:1743: #./1B978O-0000g2-Iq/eicar.com Virus identified EICAR_Test (+2)
SweepViruses.pm:1744: #./1B978O-0000g2-Iq/eicar.zip:\eicar.com Virus identified EICAR_Test (+2)
Message.pm:4595: # contained a virus (e.g. the text of EICAR) without any proper
MessageBatch.pm:79: # Fake a batch containing the Eicar message
MessageBatch.pm:81: $this->CreateEicarBatch();
MessageBatch.pm:1200:sub CreateEicarBatch {
MessageBatch.pm:1203: #print STDERR "Creating EICAR batch\n";
MessageBatch.pm:1232: 'Content-Type: application/octet-stream; name="eicar.com"',
MessageBatch.pm'Content-Disposition: attachment; filename="eicar.com"'
MessageBatch.pm:1248: # This is a Base64-encoded, then ROT13-encoded copy of the EICAR test string.
MessageBatch.pm:1250: my $eicarstring = "JQICVINyDRSDJmEpHScLAGDbHS4cA0AQXGq9WRIWD0SFYIAHDH5RDIWRYHSBIRyJFIWIHl1HEIAH\nYHMWGRHuWRteFPb=\n";
MessageBatch.pm:1251: $eicarstring =~ tr[a-zA-Z][n-za-mN-ZA-M]; # Undo ROT13 encoding
MessageBatch.pm:1252: print $fh $eicarstring;
ConfigDefs.pl:668:NoisyViruses Joke/ OF97/ WM97/ W97M/ eicar
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: Sophos AV does no more work !
Hi Henk,
I also use esets and it works well
I also use esets and it works well
Re: Sophos AV does no more work !
Did some tests to determan the source.
Check if sophos returns correct path/filename
Quick Scanning
>>> Virus 'EICAR-AV-Test' found in file /tmp/eicar.com.txt
21 files scanned in 10 seconds.
1 virus was discovered.
1 file out of 21 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: http://www.sophos.com/en-us/threat-center.aspx
End of Scan.
same for mailscanner lint and check log
2019-01-03 13:33:08: log.threat Threat detected in /var/spool/MailScanner/incoming/30245/1/neicar.com: EICAR-AV-Test during on-demand scan. (The file is still infected.)
Now debug MailScanner
Results in correct path/filenamefile
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/1268/1/neicar.com
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/1268/1/neicar.com
Can someone step in?
Do we need to file a bug for Mailscanner?
The fun is, nothing changed in mailscanner code since nov 2018.
Check if sophos returns correct path/filename
Code: Select all
/usr/lib/MailScanner/wrapper/sophos-wrapper /opt/sophos-av /tmp -all
>>> Virus 'EICAR-AV-Test' found in file /tmp/eicar.com.txt
21 files scanned in 10 seconds.
1 virus was discovered.
1 file out of 21 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: http://www.sophos.com/en-us/threat-center.aspx
End of Scan.
same for mailscanner lint and check log
Code: Select all
/opt/sophos-av/bin/savlog --today --utc |grep neicar
Now debug MailScanner
Code: Select all
/usr/lib/MailScanner/MailScanner/perl/MailScanner/SweepViruses.pm
Code: Select all
1385 sub ProcessSophosOutput {
1386 my($line, $infections, $types, $BaseDir, $Name) = @_;
1387 my($report, $infected, $dot, $id, $part, @rest, $error);
1388 my($logout);
1389
1390 print "$line"; <<<<<< uncomment to print initial value
Results in correct path/filenamefile
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/1268/1/neicar.com
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/1268/1/neicar.com
Can someone step in?
Do we need to file a bug for Mailscanner?
The fun is, nothing changed in mailscanner code since nov 2018.
Code: Select all
zcat yum.log-20190101.gz
Code: Select all
Dec 11 11:32:00 Updated: php-json-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:01 Updated: php-common-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:01 Updated: munin-common-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-node-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-apache-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-2.0.43-1.el6.noarch
Dec 11 11:32:03 Updated: php-cli-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:03 Updated: php-pdo-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:09 Updated: kernel-firmware-2.6.32-754.9.1.el6.noarch
Dec 11 11:32:18 Installed: kernel-2.6.32-754.9.1.el6.x86_64
Dec 11 11:32:19 Updated: php-mysqlnd-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:19 Updated: php-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-xml-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-gd-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-mbstring-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-ldap-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:29 Installed: kernel-devel-2.6.32-754.9.1.el6.x86_64
Dec 11 11:32:31 Updated: ghostscript-8.70-24.el6_10.2.x86_64
Dec 11 11:32:32 Updated: kernel-headers-2.6.32-754.9.1.el6.x86_64
Dec 11 11:37:23 Erased: kernel
Dec 11 11:37:28 Erased: kernel-devel
Dec 18 20:09:26 Installed: perl-WWW-Curl-4.09-4.el6.x86_64
Dec 18 20:09:26 Installed: openssl-perl-1.0.1e-57.el6.x86_64
Dec 22 10:42:56 Updated: ntpdate-4.2.6p5-15.el6.centos.x86_64
Dec 22 10:42:57 Updated: ntp-4.2.6p5-15.el6.centos.x86_64
Dec 22 10:42:57 Updated: remi-release-6.10-1.el6.remi.noarch
Dec 30 21:48:50 Installed: tuned-0.2.19-18.el6.noarch
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Sophos AV does no more work !
Hi!
Same here.
ClamD works
Esets works
Sophos fails to report and lint is not listing it.
Same here.
ClamD works
Esets works
Sophos fails to report and lint is not listing it.
Re: Sophos AV does no more work !
I just done a mailscanner lint test and I got email notification, thinking about I not seem a Sophos notification in a while apart from EICAR test just done.
For one reason or another, I not upgraded to 3.0.2.6, running 3.0.2.5 and I running ClamD version 0.99
Not sure if that helps, if you want to another test let me know.
Code: Select all
A threat was detected during an on-demand scan. Details follow:
2 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/1063/1/neicar.com is infected with EICAR-AV-Test.
Code: Select all
Product version : 5.53.0
Engine version : 3.74.2
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28305100
Code: Select all
ClamAV Status
Version: ClamAV 0.99.2
Virus Identities: 25298
Database Timestamp: Mon Jan 14 18:19:36 2019
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Sophos AV does no more work !
Working on this...hope to have an answer soon...
Re: Sophos AV does no more work !
Yes PLEASE
I can cook you a coffee or 2
I can cook you a coffee or 2
Re: Sophos AV does no more work !
Besides lots of coffee , until there is an answer, it makes sense to temp disable Sophos and the rule that generates the looping messages viewtopic.php?t=3304
--- /etc/MailScanner/conf.d/01_MailScanner.conf
--- /etc/mail/spamassassin/local.cf
--- /etc/MailScanner/conf.d/01_MailScanner.conf
Code: Select all
#Notices To = postmaster@private.lan
#Local Postmaster = postmaster@private.lan
-Virus Scanners = clamd sophos
+Virus Scanners = clamd
Code: Select all
# Add *****SPAM***** to the Subject header of spam e-mails
# rewrite_header Subject *****SPAM*****
+meta __E_LIKE_LETTER (0)
+meta __LOWER_E (0)
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: Sophos AV does no more work !
Ummm I don`t have looping messages.
Re: Sophos AV does no more work !
Version?
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Re: Sophos AV does no more work !
MailWatch for MailScanner v1.2.7-dev running on EFA-3.0.2.6
Clamav: Version: ClamAV 0.100.2
MS: 5.0.7
SpamAssassin version 3.4.1
Postfix 3.1.3
Clamav: Version: ClamAV 0.100.2
MS: 5.0.7
SpamAssassin version 3.4.1
Postfix 3.1.3
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Sophos AV does no more work !
Hi!
After AVG fix:
Reloading MailScanner ...
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1812.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1813.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1815.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1816.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1817.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1818.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1819.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1820.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1822.
Global symbol "$notype" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1830.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
BEGIN not safe after errors--compilation aborted at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1840.
Compilation failed in require at /usr/sbin/MailScanner line 106.
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 106.
I have:
Am I missing something?
After AVG fix:
Reloading MailScanner ...
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1812.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1813.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1815.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1816.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1817.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1818.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1819.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1820.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1822.
Global symbol "$notype" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1830.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
BEGIN not safe after errors--compilation aborted at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1840.
Compilation failed in require at /usr/sbin/MailScanner line 106.
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 106.
I have:
Code: Select all
my $virus = $line;
$virus =~ s/^.+\s+(.+?)$/$1/;
#print STDERR "Line: $line\n";
#print STDERR "virus = \"$virus\"\n";
my $logout = $line;
## BEGIN
# Full message scanning fix
# https://github.com/MailScanner/v5/issues/348
if ( $logout !~ /message[:\s].*(?:virus|trojan)/ ) {
$logout =~ s/\s{2,}/ /gs;
$logout =~ s/:./->/;
# Change all the spaces into / for the split coming up
# Also the second variant prepends the archive name to the
# infected filename with a:\ so we need to change that to
# something else. I chose another / so it would end up in the
# @rest wich is also why I changed the \s+ to /
# then Remove path elements before /./ leaving just id/part/rest
$line =~ s/\s+/\//g;
$line =~ s/:\\/\//g;
$line =~ s/:\//\//g; # JKF AVG8 :/ separates archives now too.
$line =~ s/\.\///;
my($id, $part, @rest) = split(/\//, $line);
$part =~ s/\t.*$//;
$part =~ s/=\>.*$//;
#print STDERR "id:$id:part = $part\n";
#print STDERR "$Name : Found virus $virus in file $part ID:$id\n";
# If avg finds both the archive and file to be infected and the file
# exists in more than one (because of SafeName) archive the archive is
# reported twice so check and make sure the archive is only reported once
my $notype = substr($part,1);
$logout =~ s/\Q$part\E/$notype/;
$logout =~ /^.+\/(.+?)\s+(.+)\s*$/;
MailScanner::Log::InfoLog("Avg: %s in %s", $2,$1);
} else {
# Parse ./id.message:/eicar.com Virus identified EICAR_Test
# Parse ./id.message Virus identified EICAR_Test
$line =~ s/\.\///;
$id = $line;
$id =~ s/^(.*)\.message.*$/$1/;
$part = $line;
$part =~ s/^.*\.message//;
$part =~ s/^:\///;
$part =~ s/\s.*$//;
if ( $part eq "" ) {
$part = "message";
$logout =~ /^.+message\s+(.+)\s*$/;
MailScanner::Log::InfoLog("Avg: %s in %s", $1,$part);
} else {
$logout =~ /^.+\/(.+?)\s+(.+)\s*$/;
MailScanner::Log::InfoLog("Avg: %s in %s", $2,$1);
}
}
my $Report = $Name . ': ' if $Name;
$Report .= "Found virus $virus in file $notype";
my $ReportPattern = quotemeta($Report);
$infections->{$id}{$part} .= "$Report\n" unless $infections->{$id}{$part} =~ /$ReportPattern/s;
$types->{$id}{$part} .= "v" unless $types->{$id}{$part}; # so we know what to tell sender
return 1;
}
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: Sophos AV does no more work !
This is NOT Avg fix but Sophos fix
And work well !
And work well !
Re: Sophos AV does no more work !
Umm no.
This is AVG fix what I posted.
I applied sophos fix and sophos works OK.
This is AVG fix what I posted.
I applied sophos fix and sophos works OK.
Re: Sophos AV does no more work !
In case you missed it: https://github.com/MailScanner/v5/pull/352
Re: Sophos AV does no more work !
Thanks for the one-liner fix
Completely off topic, but as the one-liner remark activated some presumed lost memory braincells, it's quite strange you can trigger a long term memory restore in just a split second, without any backup...
For those who love the early days of computing and powerfull oneliners (Nibble Magazine 1980-1992, One-Liner and Two-Liner programs), it's still available, thanks to Sam Stoddard. http://www.nibblemagazine.com/nibble_disks.htm
Completely off topic, but as the one-liner remark activated some presumed lost memory braincells, it's quite strange you can trigger a long term memory restore in just a split second, without any backup...
For those who love the early days of computing and powerfull oneliners (Nibble Magazine 1980-1992, One-Liner and Two-Liner programs), it's still available, thanks to Sam Stoddard. http://www.nibblemagazine.com/nibble_disks.htm
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams