[Avcheck] Fwd: Re: AV Server

Michael Tokarev mjt@tls.msk.ru
Fri, 16 Nov 2001 23:51:23 +0300 

Len Conrad wrote:
> 
> Michael, Ralf,
> 
> The client has continued to pound on the FreeBSD+postfix+Kasp+avcheck0.6.
> 
> He sends 1000's of msg to the server with no virus, and all passes well. He
> sends one msg with a virus and geth

This is NOT virus/antivirus related problem.  It may be your filesystem that
has some errors, or something like that (check with fsck).  Note that e.g.
amavis will stress your filesystem far more heavily than avcheck.  I can't
answer this question myself, but one suggestion -- ask FreeBSD guys about
this error.  If i'm right and this is some fs-related issue, than thank
God (or you name it) that this affected only mail-data and not something
more serious.  One example - if some of your /var/spool/avp directories
screwed up for whatether reason -- sooner or later you may hit this bad
directory again with different, more important data.  After your testing
I don't think this is bad memory of something like that.  It may be disk,
or, more probably, bad filesystem.  Maybe reformat it?  But anyway, either
look into kernel sources and search for this error message, trying to
find why it was generated, or, better yet, ask FreeBSD guys.

When avcheck find a virus, it will call `infected' helper in order to deal
with that infected mail message, so at least one file, that `infected'
helper, accessed *only* when a virus detected.  What if you'll try to
execute it manually (without editing and such) -- will the same message
pop up?  A guess only, but anyway -- the things avcheck does shoud NOT,
NOT harm kernel. If avcheck is able to do some bad thing with your kernel,
then it is *kernel* that needs to be repaired/corrected, or whatether
else that was a cause of a problem *in kernel*.  You know -- avcheck
has no root privileges to be able to do any evil thing.  But even if
with root privs, it will not be able to trigger a condition that is
reported here.  In case of *any* error possible in avcheck or avp or
something else -- *userspace* program -- it is NOT possible to harm
a kernel, or else kernel is bad, or something else in kernel space is
bad.  You need to find what is bad with your kernel (filesystem is in
kernel space too) -- and you *definitely* need to find this, or else
you risk to loose other, more important than any infected mail message,
data.

[]
> >>console and the message logfile?
> >>
> >>/kernel: dscheck(#da/2): b_bcount 37 is not on a sector boundary (ssize 512)

Regards,
 Michael.