shawniverson
commented
3 years ago I'll make some adjustments and see if I can modify the parser appropriately for the outputs.
Closed shawniverson closed 3 years ago
shawniverson
commented
3 years ago I'll make some adjustments and see if I can modify the parser appropriately for the outputs.
shawniverson
commented
3 years ago @lheagney Is the linuxsecurity directory the default for version 12?
shawniverson
commented
3 years ago @lheagney also can you post the complete output from running the fsecure-12-wrapper, including any headers?
shawniverson
commented
3 years ago Need someone to test the latest changes here.
lheagney
commented
3 years ago Hi - Sorry for the late reply, swamped at work this week. As far as I can tell the "/opt/f-secure/linuxsecurity" directory is the default for fsecure-12. It is referred to as the default path for fsanalyze on P36 in https://help.f-secure.com/data/pdf/fsls64-adminguide-eng.pdf
I've installed the latest updates .
Here is all of the output from the wrapper script:
[root@valencia ~]# /usr/lib/MailScanner/wrapper/f-secure-12-wrapper /opt/f-secure/linuxsecurity /tmp/AVTEST /tmp/AVTEST/eicar_com.zip: result=infected infection=EICAR_Test_File member-name=eicar.com
/tmp/AVTEST/eicar_com.zip: action=deleted
/tmp/AVTEST/eicarcom2.zip: result=infected infection=EICAR_Test_File member-name=eicar_com.zip/eicar.com
/tmp/AVTEST/eicarcom2.zip: action=deleted
/tmp/AVTEST/eicar.com.malware: result=infected infection=EICAR_Test_File
/tmp/AVTEST/eicar.com.malware: action=deleted
/tmp/AVTEST/eicar.com.txt.malware: result=infected infection=EICAR_Test_File
/tmp/AVTEST/eicar.com.txt.malware: action=deleted
[root@valencia ~]#The update does not work, but I think I've found the problem. The following lines in the ""f-secure-12" section of the SweepViruses.pm file are set to:
InitParser => InitFSecure12Parser,
ProcessOutput => ProcessFSecure12Output,I think these should be set to:
InitParser => \&InitFSecure12Parser,
ProcessOutput => \&ProcessFSecure12Output,I've tested this on my install and the "MailScanner --lint" test detects the EICAR virus:
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 1500 hostnames from the phishing whitelist
Read 6392 hostnames from the phishing blacklists
Config: calling custom init function MailWatchLogging
MailWatch: Started MailWatch SQL Logging child
Checking version numbers...
Version number in MailScanner.conf (5.4.1) is correct.
Your envelope_sender_header in spamassassin.conf is correct.
Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
SpamAssassin reported no errors.
Connected to Processing Attempts Database
Created Processing Attempts Database successfully
There are 0 messages in the Processing Attempts Database
Using locktype = posix
MailScanner.conf says "Virus Scanners = f-secure-12"
Found these virus scanners installed: f-secure-12
===========================================================================
Virus and Content Scanning: Starting
Running MailScanner Lint test
./1/neicar.com: result=infected infection=EICAR_Test_File, HASH(0x55600656f538), HASH(0x55600656f 520), /var/spool/MailScanner/incoming/237351, , ./1/neicar.com: result=infected infection=EICAR_T est_File, ./1/neicar.com: result=infected infection=EICAR_Test_File
Virus Scanning: F-Secure found virus EICAR_Test_File
./1/eicar.com: result=infected infection=EICAR_Test_File
Running MailScanner Lint test
./1/neicar.com: action=deleted, HASH(0x55600656f538), HASH(0x55600656f520), /var/spool/MailScanne r/incoming/237351, , ./1/neicar.com: action=deleted, ./1/neicar.com: action=deleted
Virus Scanning: found 1 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 1 viruses
===========================================================================
Virus Scanner test reports:
./1/eicar.com said "result=infected infection=EICAR_Test_File"
If any of your virus scanners (f-secure-12)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function MailWatchLoggingThanks for testing, rolling in fix
Hi - Thanks for looking at this. I've updated to 5.4.1 and applied these changes. I think the entry in /etc/MailScanner/virus.scanners.conf is still wrong. This is pointing at /opt/f-secure/fsav. I've changed my local config to point at the location of my f-secure install (/opt/f-secure/linuxsecurity). I've had mixed results from this.
If I run "/usr/lib/MailScanner/wrapper/f-secure-12-wrapper /opt/f-secure/linuxsecurity /tmp/AVTEST" I get the following output:
/tmp/AVTEST/eicar_com.zip: result=infected infection=EICAR_Test_File member-name=eicar.com /tmp/AVTEST/eicar_com.zip: action=deleted /tmp/AVTEST/eicarcom2.zip: result=infected infection=EICAR_Test_File member-name=eicar_com.zip/eicar.com /tmp/AVTEST/eicarcom2.zip: action=deleted /tmp/AVTEST/eicar.com.malware: result=infected infection=EICAR_Test_File /tmp/AVTEST/eicar.com.malware: action=deleted /tmp/AVTEST/eicar.com.txt.malware: result=infected infection=EICAR_Test_File /tmp/AVTEST/eicar.com.txt.malware: action=deleted
This seems to show that the wrapper detects and deletes the files containing the test EICAR virus.
If I run "MailScanner --lint" I get the following output:
Trying to setlogsock(unix)
Reading configuration file /etc/MailScanner/MailScanner.conf Reading configuration file /etc/MailScanner/conf.d/README Read 868 hostnames from the phishing whitelist Read 5807 hostnames from the phishing blacklists Config: calling custom init function MailWatchLogging MailWatch: Started MailWatch SQL Logging child
Checking version numbers... Version number in MailScanner.conf (5.4.1) is correct.
Your envelope_sender_header in spamassassin.conf is correct.
Checking for SpamAssassin errors (if you use it)... Using SpamAssassin results cache Connected to SpamAssassin cache database SpamAssassin reported no errors. Connected to Processing Attempts Database Created Processing Attempts Database successfully There are 0 messages in the Processing Attempts Database Using locktype = posix MailScanner.conf says "Virus Scanners = f-secure-12" Found these virus scanners installed: f-secure-12
Virus and Content Scanning: Starting
If any of your virus scanners (f-secure-12) are not listed there, you should check that they are installed correctly and that MailScanner is finding them correctly via its virus.scanners.conf. Config: calling custom end function MailWatchLogging
This doesn't seem to show any virus checking taking place. If I also send any emails via this server the EICAR reference virus files are sent as attachments and not detected as a virus. Not sure how I can debug this any further? Please let me know if there is anything else I can do to help with this.