[Avcheck] Problem (what else?)

Milan P. Stanic mps@rns-nis.co.yu
Mon, 27 Aug 2001 17:30:22 +0200 (CEST)


On 26-Aug-2001 Michael Tokarev wrote:
[...]
>> ps au | grep Avp  gives:
>> avpd 2013  0.0  0.1 4504   56 ?  S  21:04 0:00 /AvpDaemon -dl -f=/ctl
>> /tst
> 
> This all looks ok.

Fine.
 
>> and excerpt from mail.log
>> ----------------------------
>> Aug 26 21:19:04 dl postfix/qmgr[2310]: 607E617BFD:
>> from=<mps@rns-nis.co.yu>, size=597, nrcpt=1 (queue active)
>> Aug 26 21:19:04 dl postfix/smtpd[2319]: disconnect from
>> localhost[127.0.0.1]
>> Aug 26 21:19:04 dl postfix/pipe[2315]: 641C217B3B:
>> to=<mps@rns-nis.co.yu>,
>> relay=avcheck, delay=38, status=sent (dl.rns-nis.co.yu)
>> Aug 26 21:19:04 dl postfix/local[2321]: 607E617BFD:
>> to=<mps@rns-nis.co.yu>,
>> relay=local, delay=0, status=sent (mailbox)
>> ----------------------------------------
>> 
>> I don't understand why postfix sends it to the "local" relay?
> 
> You posted somewhat incomplete log.  We see here two messages (actually

Log is complete because I cleaned it before sending test message. And these
lines are only relevant ones.

> second one is reinjected back first) -- with ids 607E617BFD and
> 607E617BFD. 607E617BFD sent to local mailbox (where it should be
> delivered? I suppose it is your local domain, is it?) -- but it was

Yes, I'm using single machine for testing, but it should work because I'm
sending mail over smtp.

> already checked -- it was 641C217B3B before.  And 641C217B3B was
> successefully "sent" to avcheck.  Order of lines is somewhat strange,
> yes, but this is normal.

[...]
> This is not good.  It is not necessary to hack avcheck at all: all
> situations it can't handle it will log via postfix's mechanisms.  This
> includes unexpected result codes and any other things.  If AvpDaemon
> returns something strange, mail will be *deferred*, with message
> describing that, and the same message will be logged by postfix's
> pipe(8) agent.  From log above I guess (there is no real evidience)
> that a message sent to mps@rns-nis.co.yu was successefully checked.
> Now, when you modified avcheck, it want' work...  Strange, yes? ;)

With unmodified avcheck I didn't have any idea what can be wrong. When I
added syslog support I could see that avcheck works and that it communicates
with AvpDaemon. And I liked idea to see its state during execution.

> First, you said that your modified avcheck logs "unexpected return
> code", but not provided what code it received.  I strongly suggest
> you to use unmodified one -- all required info will be available
> anyway (no, I don't want to say that you did some bad things with
> code, but it was just unnecessary, and a *possible* source for other
> errors).  And then post message it logs (or reason for deferred mail
> message).

No. I mean that I modified avcheck to test it. Logs and configs posted here
was with unmodified avcheck.

> Next, it is better to actually test your configuration manually.
> The procedure described inside avcheck tarball.

As I said, I did it right as it is described in README.AVP. Until that all
works as expected (and described). When I give the next command:

/var/spool/avp/uchroot -u avpc / /var/spool/avp/avcheck -n -f root -d
/var/spool/avp/./tst -s avp:/var/spool/avp/ctl/AvpSocket root < eicar.txt

I got the line:

Message didn't pass the virus check: infected: EICAR-Test-File 

So far, so good.

But, when I tried to setup postfix (as described in README.Postfix) it does
not work.

Ralh Hildebrandt pointed me to try ziped EICAR.TXT. Well, I ziped
eicar.txt and send it. And surprise, postfix+avcheck+AvpDaemom detected
virus.
So the new question is: Why it detects virus in ziped file but not if I
send the same file as text?


Milan
----------------------------------
OSS, IT Security
Consulting and Management
----------------------------------