[Avcheck] infected is sick?

Michael Tokarev mjt@tls.msk.ru
Wed, 28 Nov 2001 15:54:16 +0300 

Len Conrad wrote:
> 
> avcheck 0.6, postfix, freebsd, "infected":
> 
> VIRUS_ALERT=jstaiman@snipmail.net # set to empty to skip administrator email
> INFORM_SENDER=y # send alert to sender
> INFORM_RCPT=y # send alert to recipients

Ok.

> I send a snowwhite hybris to the AV box's ip address.
> 
> 1. jstaiman@snipmail.net gets nothing.

Administrator alert sent first.

> 2. I, sender, get the message + full virus back (on my mail gateway,
> body_checks blocks the msg because it finds .exe attachment)

How you sent the affected message then?  It seems not via your
gateway, or else body_checks should block original message.
Note the same will happen if postfix will send standard bounce
message instead (first several Kbytes of original message).

> 3. recipient gets virus-free notice, cool.
> 
> I can't get 1 and 2 to work right.
> 
> I have killed avdaemon and postfix, and restarted, still no workee.

There is no need to restart anything unless you changed the way
avcheck is called from postfix (in master.cf, postfix reload is
required) or avdaemon's virus bases or settings.  Any change
in `infected' script will be picked up when processing next
virus.

Ok.

1. Check how the message was sent.  Find the jstaiman@snipmail.net
address in the logs at that time (from address should be empty) and
trace the message down.  Maybe the same cause as in 2.  And see below.

2. This is a problem with all configuration/antivirus/whatether.
When more than one mail server involved you should enshure that
second one will not check messages sent by first.  Note that usually
the return path to sender comes the same way as original message
was sent.

I.e. I can send a message to you from my desktop computer, it will
be first sent to our gateway, checked there for viruses, then sent
to your gateway, again checked for viruses and finally delivered to
your mailbox.  If I'll send a virus to you, it will be intercepted
by my gateway and returned back to me and your gateway may receive
"recipient notification" (headers only).  If *your* gateway will
find a virus then our gateway will not block returned bounce since
it was not catched original virus in the first place and will not
catch it when returned (in case when our gateway does not run any
antivirus software).

What you demonstrated can happen only you sent original message
from a different place where there is no virusscanner running,
the message reached a virusscanning gateway and it tried to send
a message to your "main" mailserver that also checks for viruses.
There is nothing one can do here except of teaching second mailserver
(that will reject virus notification in this case) to "trust"
all mails sent from first mailserver.

Here we have two mailserver, let's say A and B, both runs a
viruschecker.  I configured 1025 port on both as a reinjection
port (used by avcheck) and configured a transport map on both
so that A will send mails destined for B to host B port 1025
and vice versa.  And placed a firewall rules so that noone else
can use port 1025.  Note that such setup is not needed to
receive virus alerts, but only to light the load -- since I
shurely know that all mails sent from A to B was checked by
the same anitivirus software as B have and B doesn't need to
check again.

Regards,
 Michael.