[Avcheck] Virus warning message

Nacho Ruiz nax@isoco.es
Tue, 14 Aug 2001 19:12:19 +0200


Hi Michael ,
I sent the eicar.msg attached in your package, with the command
mail nax@hermetik.isoco.com < eicar.msg
and maillog says the same:

Aug 14 18:56:44 hermetik postfix/pipe[21232]: 0480122F84: 
to=<nax@hermetik.isoco.com>,
relay=avcheck, delay=0, status=bounced (service unavailable. Command output:
Message didn't pass the virus check: Infected by a virus )

My config is linux redhat 7.0 (vmlinuz-2.4.7), postfix-20010228-pl02, 
avcheck-0.2
modified master.cf in postfix with the lines:

localhost:1025          inet  n       -       n       -       -       smtpd 
-o content_filter=
avcheck unix - n n - 5 pipe user=avpc argv=/var/spool/avp/avcheck -tAVP
-f ${sender} -d/var/spool/avp/./tst -s/ var/spool/avp/ctl/AvpCtl -S :1025 
-- ${recipient}

and main.cf with
content_filter = avcheck

Finally in the /etc/rc.d/init.d/postfix stop/start script I added the lines:

         /usr/local/postfix/bin/postconf -e "defer_transports = avcheck"
         /usr/local/postfix/bin/postfix reload
         /var/spool/avp/kavdaemon -ka && sleep 1
         /usr/bin/env - HOME=/ /bin/nice /var/spool/avp/uchroot -u avpd 
/var/spool/avp
               ./kavdaemon -dl -f=/ctl /tst > /dev/null
          /usr/local/postfix/bin/postconf -e "defer_transports ="
         /usr/local/postfix/bin/postfix reload
         ;;

Here is the full email I got warning me about a virus, but no which one...:

Delivered-To: nax@hermetik.isoco.com
Delivered-To: nax@bcn.isoco.com
From: antivirus-daemon@isoco.com
Subject: Virus-alert (sender: root@isoco.com)
Date: Tue, 14 Aug 2001 18:56:44 -0100 (GMT+1)
To: undisclosed-recipients: ;

Hello! This is a mail anti-virus program at host hermetik.
The mail system received a message from root@isoco.com sent to
nax@hermetik.isoco.com
that contains either infected or suspicious file(s) and it has
not reached the above recipients. Original message headers given below.
Antivirus message(s):
Infected by a virus
Received: by hermetik.isoco.com (Postfix-NaxBox, from userid 0)
id 0480122F84; Tue, 14 Aug 2001 18:56:44 -0100 (GMT+1)
To: nax@hermetik.isoco.com
Message-Id: <20010814195644.0480122F84@hermetik.isoco.com>
Date: Tue, 14 Aug 2001 18:56:44 -0100 (GMT+1)
From: root@isoco.com (root@hermetik)

Thanks in advance for any help,

At 15:57 8/14/2001 +0400, Michael Tokarev wrote:
>Nacho Ruiz wrote:
> >
> > Hi All,
> > when i send a mail with a virus attached to test avcheck, I see this msg in
> > maillog:
> >
> > Aug 14 11:37:51 hermetik postfix/pipe[14832]: 5978E22F84:
> > to=<nax@www.catradio.com>, relay=avcheck, delay=0, status=bounced (service
> > unavailable. Command output: Message didn't pass the virus check: Infected
> > by a virus )
> >
> > how can the virus prog say what type of virus is instead of say a generic
> > "infected by a virus" msg?
>
>"Infected by a virus" means that antivirus daemon tells nothing about what
>kind of a virus it detected -- i.e. when antivirus returned
>"infected"
>code but not a detailed message.  I never seen that before, but included
>such variant "just in case".  Well, I want to see it! ;)
>
>Can you send me your infected message and some more details about your
>config (OS, av(p)check version, and especially antivirus software/version)?
>
>please, include *complete* infected message that you tried to send, with
>headers et al, in *encrypted* .zip archive (make an archive with a password),
>and send password in the same mail message to me.  Or, place this somewhere
>in ftp/www area and send me an url.
>
>And please, try to send eicar.msg file to your mail system and see what
>message it will generate.
>
>Regards,
>  Michael.

--
Nacho Ruiz - mailto:nax@isoco.es - http://www.isoco.es