Sophos AV does no more work !

Report bugs and workarounds
Post Reply
nicola.piazzi
Posts: 389
Joined: 23 Apr 2015 09:45

Sophos AV does no more work !

Post by nicola.piazzi »

Hi,
I found that mailscanner doesn no more catch sophos virus, this in an existing installation and also in a fresh install

Here maillog of a working message :
2018-12-03T01:13:17.634913+01:00 EFA42 MailScanner[4191]: >>> Virus 'Mal/DrodAce-A' found in file ./27176108233.AC1B9/201283765ref20181203_xls.ace
2018-12-03T01:13:17.635238+01:00 EFA42 MailScanner[4191]: Virus Scanning: Sophos found 1 infections
2018-12-03T01:13:17.635417+01:00 EFA42 MailScanner[4191]: Infected message 27176108233.AC1B9 came from 82.193.37.22
2018-12-03T01:13:17.635543+01:00 EFA42 MailScanner[4191]: Virus Scanning: Found 1 viruses

Here maillog of a non working message :
2018-12-17T16:21:48.334526+01:00 EFA42 MailScanner[2649]: >>> Virus 'Mal/DrodAce-A' found in file /var/pool/MailScanner/incoming/2649/DB73A106051.A5516/nPO-18191111060.ace
2018-12-17T16:21:48.334859+01:00 EFA42 MailScanner[2649]: Virus Scanning: Sophos found 1 infections
2018-12-17T16:21:48.335071+01:00 EFA42 MailScanner[2649]: Infected message var came from
2018-12-17T16:21:48.335207+01:00 EFA42 MailScanner[2649]: Virus Scanning: Found 1 viruses

NOTE Infected message “var” instead real file name !!!

This is newest installed version
[root@EFA41 sbin]# sweep --version
SAVScan virus detection utility
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 05:01:58 PM, System date 31 December 2018
Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Something changed within Sophos. Mailscanner Lint shows a non-existing path :/var/pool/MailScanner/

Due the lack of virusmails I do not know how to check, besides the MailScanner lint check, but quite sure its related to the non-existing path
and different file name neicar.com versus eicar.com
On the todo list for next year 8-)


Old working version 20 Nov 2018
[root@xx var]#

Code: Select all

MailScanner --lint --debug
Trying to setlogsock(unix)
blabla..
Version number in MailScanner.conf (5.0.7) is correct.
Your envelope_sender_header in spamassassin.conf is correct.
Using locktype = posix
MailScanner.conf says "Virus Scanners = clamd sophos"
Found these virus scanners installed: clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"
Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"

<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<new version>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[root@xx var]#

Code: Select all

MailScanner --lint --debug
Trying to setlogsock(unix)
blabla..

===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/11141/1/neicar.com
Virus Scanning: Sophos found 1 infections
Infected message 1 came from 10.1.1.1
Infected message var came from
Virus Scanning: Found 2 viruses
===========================================================================
Virus Scanner test reports:
Clamd said "eicar.com was infected: Eicar-Test-Signature"

Check log
[root@xx ~]#

Code: Select all

/opt/sophos-av/bin/savlog --today --utc |grep Threat
2018-12-31 18:07:30: log.threat Threat detected in /var/spool/MailScanner/incoming/11141/1/neicar.com: EICAR-AV-Test during on-demand scan. (The file is still infected.)


[root@xx var]#

Code: Select all

sweep --version
SAVScan virus detection utility
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.

System time 07:08:24 PM, System date 31 December 2018

Product version : 5.53.0
Engine version : 3.74.2
Virus data version : 5.58
User interface version : 2.03.074
Platform : Linux/AMD64
Released : 11 December 2018
Total viruses (with IDEs) : 28304428
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
nicola.piazzi
Posts: 389
Joined: 23 Apr 2015 09:45

Re: Sophos AV does no more work !

Post by nicola.piazzi »

Yes, but if you invoke a scan with new sophos output is correct (spool and not pool)
nicola.piazzi
Posts: 389
Joined: 23 Apr 2015 09:45

Also avg doesnt work

Post by nicola.piazzi »

Hi henk
Also AVG have (same) problem

Install so :
yum install glibc.i686
wget http://download.avgfree.com/filedir/ins ... 6.i386.rpm
rpm -i avg2013flx-r3118-a6926.i386.rpm
vi /etc/MailScanner/virus.scanners.conf
avg /usr/lib/MailScanner/wrapper/avg-wrapper /usr <<<<<<< this little change


First MailScanner --lint WORKS OK
=============================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in eicar.com
Virus Scanning: Avg found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================
Virus Scanner test reports:
Avg said "Found virus EICAR_Test in file eicar.com"

If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.



Then make an avgupdate and

Then MailScanner --lint KO
=======================
MailScanner.conf says "Virus Scanners = avg"
Found these virus scanners installed: avg, clamavmodule, sophos, clamd
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Avg: Virus identified EICAR_Test in neicar.com
Virus Scanning: Avg found 1 infections
Virus Scanning: Found 1 viruses
===========================================================================

If any of your virus scanners (avg,clamavmodule,sophos,clamd)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.


Note the difference "Avg: Virus identified EICAR_Test in eicar.com" and "Avg: Virus identified EICAR_Test in >>>n<<<eicar.com"

neicar is same problem of sophos
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Hi Nicola,

I would like to know if there a members with additional scanners ( besides Sophos and AVG) having the same issue.
As clamav is still working, there is no need to panic, but we need to solve this a.s.a.p.

Would Shawn like to comment on this?

Code: Select all

MailScanner --version
Running on Linux 2.6.32-754.9.1.el6.x86_64 #1 SMP Thu Dec 6 08:02:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
This is CentOS release 6.10 (Final)
This is Perl version 5.010001 (5.10.1)

This is MailScanner version 5.0.7

Check:

Code: Select all

MailScanner --lint --debug
As I miss the skills to determan the cause, a simple check on the mailscanner scripts somewhat reveals the special handling for Eicar tests:
Each scanner is handled separately:

Code: Select all

grep -irHn 'EICAR'  /usr/lib/MailScanner/MailScanner/perl/MailScanner
SweepViruses.pm:1398: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.com
SweepViruses.pm:1399: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.doc
SweepViruses.pm:1400: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar/eicar.com
SweepViruses.pm:1401: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.doc
SweepViruses.pm:1402: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.rar3a/eicar.com
SweepViruses.pm:1403: #>>> Virus 'EICAR-AV-Test' found in file /root/q/qeicar/eicar.zip/eicar.com
SweepViruses.pm:1500: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR_Test_File [F-Prot]
SweepViruses.pm:1501: #./g4UFLJR23090/Keld Jrn Simonsen: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1504: #./eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1505: #./eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1506: #./eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1507: #./eicar.doc: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1508: #./eicar.doc: Infected: EICAR Test File [Orion]
SweepViruses.pm:1509: #./eicar.doc: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1510: #[./eicar.zip] eicar.com: Infected: EICAR_Test_File [Libra]
SweepViruses.pm:1511: #[./eicar.zip] eicar.com: Infected: EICAR Test File [Orion]
SweepViruses.pm:1512: #[./eicar.zip] eicar.com: Infected: EICAR-Test-File [AVP]
SweepViruses.pm:1620: #(Real infected archive: /var/spool/MailScanner/incoming/19746/./i75EFmSZ014248/eicar.rar)
SweepViruses.pm:1743: #./1B978O-0000g2-Iq/eicar.com Virus identified EICAR_Test (+2)
SweepViruses.pm:1744: #./1B978O-0000g2-Iq/eicar.zip:\eicar.com Virus identified EICAR_Test (+2)
Message.pm:4595: # contained a virus (e.g. the text of EICAR) without any proper
MessageBatch.pm:79: # Fake a batch containing the Eicar message
MessageBatch.pm:81: $this->CreateEicarBatch();
MessageBatch.pm:1200:sub CreateEicarBatch {
MessageBatch.pm:1203: #print STDERR "Creating EICAR batch\n";
MessageBatch.pm:1232: 'Content-Type: application/octet-stream; name="eicar.com"',
MessageBatch.pm:1234:'Content-Disposition: attachment; filename="eicar.com"'
MessageBatch.pm:1248: # This is a Base64-encoded, then ROT13-encoded copy of the EICAR test string.
MessageBatch.pm:1250: my $eicarstring = "JQICVINyDRSDJmEpHScLAGDbHS4cA0AQXGq9WRIWD0SFYIAHDH5RDIWRYHSBIRyJFIWIHl1HEIAH\nYHMWGRHuWRteFPb=\n";
MessageBatch.pm:1251: $eicarstring =~ tr[a-zA-Z][n-za-mN-ZA-M]; # Undo ROT13 encoding
MessageBatch.pm:1252: print $fh $eicarstring;
ConfigDefs.pl:668:NoisyViruses Joke/ OF97/ WM97/ W97M/ eicar
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
nicola.piazzi
Posts: 389
Joined: 23 Apr 2015 09:45

Re: Sophos AV does no more work !

Post by nicola.piazzi »

Hi Henk,
I also use esets and it works well
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Did some tests to determan the source.
Check if sophos returns correct path/filename

Code: Select all

/usr/lib/MailScanner/wrapper/sophos-wrapper /opt/sophos-av /tmp  -all
Quick Scanning
>>> Virus 'EICAR-AV-Test' found in file /tmp/eicar.com.txt
21 files scanned in 10 seconds.
1 virus was discovered.
1 file out of 21 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: http://www.sophos.com/en-us/threat-center.aspx
End of Scan.

same for mailscanner lint and check log

Code: Select all

/opt/sophos-av/bin/savlog --today --utc |grep neicar
2019-01-03 13:33:08: log.threat Threat detected in /var/spool/MailScanner/incoming/30245/1/neicar.com: EICAR-AV-Test during on-demand scan. (The file is still infected.)

Now debug MailScanner

Code: Select all

/usr/lib/MailScanner/MailScanner/perl/MailScanner/SweepViruses.pm

Code: Select all

  1385 sub ProcessSophosOutput {
   1386   my($line, $infections, $types, $BaseDir, $Name) = @_;
   1387   my($report, $infected, $dot, $id, $part, @rest, $error);
   1388   my($logout);
   1389
   1390   print "$line";                <<<<<<     uncomment to print initial value

Results in correct path/filenamefile

Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 1 infections
>>> Virus 'EICAR-AV-Test' found in file /var/spool/MailScanner/incoming/1268/1/neicar.com
>>> Virus 'EICAR-AV-Test' found in file /var/pool/MailScanner/incoming/1268/1/neicar.com

Can someone step in? :think:
Do we need to file a bug for Mailscanner? :?:
The fun is, nothing changed in mailscanner code since nov 2018. :doh:

Code: Select all

zcat yum.log-20190101.gz

Code: Select all

Dec 11 11:32:00 Updated: php-json-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:01 Updated: php-common-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:01 Updated: munin-common-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-node-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-apache-2.0.43-1.el6.noarch
Dec 11 11:32:02 Updated: munin-2.0.43-1.el6.noarch
Dec 11 11:32:03 Updated: php-cli-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:03 Updated: php-pdo-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:09 Updated: kernel-firmware-2.6.32-754.9.1.el6.noarch
Dec 11 11:32:18 Installed: kernel-2.6.32-754.9.1.el6.x86_64
Dec 11 11:32:19 Updated: php-mysqlnd-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:19 Updated: php-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-xml-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-gd-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-mbstring-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:20 Updated: php-ldap-7.2.13-2.el6.remi.x86_64
Dec 11 11:32:29 Installed: kernel-devel-2.6.32-754.9.1.el6.x86_64
Dec 11 11:32:31 Updated: ghostscript-8.70-24.el6_10.2.x86_64
Dec 11 11:32:32 Updated: kernel-headers-2.6.32-754.9.1.el6.x86_64
Dec 11 11:37:23 Erased: kernel
Dec 11 11:37:28 Erased: kernel-devel
Dec 18 20:09:26 Installed: perl-WWW-Curl-4.09-4.el6.x86_64
Dec 18 20:09:26 Installed: openssl-perl-1.0.1e-57.el6.x86_64
Dec 22 10:42:56 Updated: ntpdate-4.2.6p5-15.el6.centos.x86_64
Dec 22 10:42:57 Updated: ntp-4.2.6p5-15.el6.centos.x86_64
Dec 22 10:42:57 Updated: remi-release-6.10-1.el6.remi.noarch
Dec 30 21:48:50 Installed: tuned-0.2.19-18.el6.noarch
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3783
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Sophos AV does no more work !

Post by shawniverson »

gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

Hi!

Same here.

ClamD works
Esets works
Sophos fails to report and lint is not listing it.
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: Sophos AV does no more work !

Post by thewomble »

I just done a mailscanner lint test and I got email notification, thinking about I not seem a Sophos notification in a while apart from EICAR test just done.

Code: Select all

A threat was detected during an on-demand scan. Details follow:
2 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/1063/1/neicar.com is infected with EICAR-AV-Test.
For one reason or another, I not upgraded to 3.0.2.6, running 3.0.2.5 and I running ClamD version 0.99

Code: Select all

Product version :	5.53.0
Engine version :	3.74.2
Platform :	Linux/AMD64
Released :	11 December 2018
Total viruses (with IDEs) :	28305100

Code: Select all

ClamAV Status
Version:	ClamAV 0.99.2
Virus Identities:	25298
Database Timestamp:	Mon Jan 14 18:19:36 2019
Not sure if that helps, if you want to another test let me know.
User avatar
shawniverson
Posts: 3783
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Sophos AV does no more work !

Post by shawniverson »

Working on this...hope to have an answer soon...
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

Yes PLEASE :)

I can cook you a coffee or 2 :)
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Besides lots of coffee :) , until there is an answer, it makes sense to temp disable Sophos and the rule that generates the looping messages viewtopic.php?t=3304
--- /etc/MailScanner/conf.d/01_MailScanner.conf

Code: Select all

 #Notices To = postmaster@private.lan
 #Local Postmaster = postmaster@private.lan

-Virus Scanners = clamd sophos
+Virus Scanners = clamd
--- /etc/mail/spamassassin/local.cf

Code: Select all

 #   Add *****SPAM***** to the Subject header of spam e-mails
 # rewrite_header Subject *****SPAM*****

+meta __E_LIKE_LETTER (0)
+meta __LOWER_E (0)
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

Ummm I don`t have looping messages.
henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Version?
MailWatch- MailScanner-Version-information.png
MailWatch- MailScanner-Version-information.png (16.51 KiB) Viewed 27075 times
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

MailWatch for MailScanner v1.2.7-dev running on EFA-3.0.2.6
Clamav: Version: ClamAV 0.100.2
MS: 5.0.7
SpamAssassin version 3.4.1
Postfix 3.1.3
User avatar
shawniverson
Posts: 3783
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Sophos AV does no more work !

Post by shawniverson »

User avatar
shawniverson
Posts: 3783
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Sophos AV does no more work !

Post by shawniverson »

Refactored (one liner fix):

https://github.com/MailScanner/v5/pull/353
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

Hi!

After AVG fix:
Reloading MailScanner ...
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1812.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1813.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1815.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1816.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1817.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1818.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1819.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1820.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1822.
Global symbol "$notype" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1830.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1833.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$id" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
Global symbol "$part" requires explicit package name at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1834.
BEGIN not safe after errors--compilation aborted at /usr/share/MailScanner/perl/MailScanner/SweepViruses.pm line 1840.
Compilation failed in require at /usr/sbin/MailScanner line 106.
BEGIN failed--compilation aborted at /usr/sbin/MailScanner line 106.

I have:

Code: Select all

my $virus = $line;
  $virus =~ s/^.+\s+(.+?)$/$1/;

  #print STDERR "Line: $line\n";
  #print STDERR "virus = \"$virus\"\n";
  my $logout = $line;

        ## BEGIN
        # Full message scanning fix
        # https://github.com/MailScanner/v5/issues/348
        if ( $logout !~ /message[:\s].*(?:virus|trojan)/ ) {
    $logout =~ s/\s{2,}/ /gs;
    $logout =~ s/:./->/;

    # Change all the spaces into / for the split coming up
    # Also the second variant prepends the archive name to the
    # infected filename with a:\ so we need to change that to
    # something else. I chose another / so it would end up in the
    # @rest wich is also why I changed the \s+ to /
    # then Remove path elements before /./ leaving just id/part/rest

    $line =~ s/\s+/\//g;
    $line =~ s/:\\/\//g;
    $line =~ s/:\//\//g; # JKF AVG8 :/ separates archives now too.
    $line =~ s/\.\///;
    my($id, $part, @rest) = split(/\//, $line);
    $part =~ s/\t.*$//;
    $part =~ s/=\>.*$//;
    #print STDERR "id:$id:part = $part\n";
    #print STDERR "$Name : Found virus $virus in file $part ID:$id\n";

    # If avg finds both the archive and file to be infected and the file
    # exists in more than one (because of SafeName) archive the archive is
    # reported twice so check and make sure the archive is only reported once

    my $notype = substr($part,1);
    $logout =~ s/\Q$part\E/$notype/;

    $logout =~ /^.+\/(.+?)\s+(.+)\s*$/;
    MailScanner::Log::InfoLog("Avg: %s in %s", $2,$1);
  } else {
    # Parse ./id.message:/eicar.com Virus identified EICAR_Test
    # Parse ./id.message Virus identified EICAR_Test
	$line =~ s/\.\///;
    $id = $line;
    $id =~ s/^(.*)\.message.*$/$1/;

    $part = $line;
    $part =~ s/^.*\.message//;
    $part =~ s/^:\///;
    $part =~ s/\s.*$//;
    if ( $part eq "" ) {
      $part = "message";
      $logout =~ /^.+message\s+(.+)\s*$/;
      MailScanner::Log::InfoLog("Avg: %s in %s", $1,$part);
    } else {
      $logout =~ /^.+\/(.+?)\s+(.+)\s*$/;
      MailScanner::Log::InfoLog("Avg: %s in %s", $2,$1);
    }
  }

  my $Report = $Name . ': ' if $Name;
  $Report .= "Found virus $virus in file $notype";
  my $ReportPattern = quotemeta($Report);

  $infections->{$id}{$part} .= "$Report\n" unless $infections->{$id}{$part} =~ /$ReportPattern/s;
  $types->{$id}{$part} .= "v" unless $types->{$id}{$part}; # so we know what to tell sender

  return 1;
}

Am I missing something?
nicola.piazzi
Posts: 389
Joined: 23 Apr 2015 09:45

Re: Sophos AV does no more work !

Post by nicola.piazzi »

This is NOT Avg fix but Sophos fix
And work well !
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

Umm no.

This is AVG fix what I posted.

I applied sophos fix and sophos works OK.
gregecslo
Posts: 71
Joined: 09 Sep 2018 17:55

Re: Sophos AV does no more work !

Post by gregecslo »

henk
Posts: 518
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Sophos AV does no more work !

Post by henk »

Thanks for the one-liner fix :clap:

Completely off topic, but as the one-liner remark activated some presumed lost memory braincells, it's quite strange you can trigger a long term memory restore in just a split second, without any backup... :doh:
For those who love the early days of computing and powerfull oneliners (Nibble Magazine 1980-1992, One-Liner and Two-Liner programs), it's still available, thanks to Sam Stoddard. http://www.nibblemagazine.com/nibble_disks.htm
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply