[Avcheck] Re: Cant detect eicar.msg

Michael Tokarev mjt@tls.msk.ru
Thu, 27 Dec 2001 20:50:50 +0300 

George Chelidze wrote:
> 
> here is the attached file containing debug made by strace as Michael
> adviced. I am new to this so I amn't sure I can find out whats wrong
> here. maybe someone can help. The instalation is made according to
> README.AVP line by line. I use AvpDaemon as my antivirus. The same debug
> is for kavdaemon. Thanks
[]
-----------------------------------
> select(1024, [2], NULL, NULL, NULL)     = 1 (in [2])
> accept(2, {sin_family=AF_UNIX, path=@ ... 00000064}, [11]) = 7
> select(1024, [2 7], NULL, NULL, NULL)   = 1 (in [7])
> read(7, "<0>Dec 27 20:55:40:/tst/1493.tmp", 2048) = 32
> fork()                                  = 1494
[]
> [pid  1495] lstat("/tst/1493.tmp", {st_mode=S_IFREG|0640, st_size=1118, ...}) = 0
> [pid  1495] lstat("/tst/1493.tmp", {st_mode=S_IFREG|0640, st_size=1118, ...}) = 0
> [pid  1495] getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0
> [pid  1495] open("/tst/1493.tmp", O_RDONLY|0x40000000) = 9
> [pid  1495] fstat(9, {st_mode=S_IFREG|0640, st_size=1118, ...}) = 0
> [pid  1495] fstat(9, {st_mode=S_IFREG|0640, st_size=1118, ...}) = 0
> [pid  1495] lseek(9, 0, SEEK_SET)       = 0
> [pid  1495] read(9, "From: Michael Tokarev <mjt@corpi"..., 4096) = 1118
> [pid  1495] close(9)                    = 0
> [pid  1495] write(7, "0\1", 2)          = 2
...
> [pid  1495] write(7, "\0\0\0\0", 4)     = -1 EPIPE (Broken pipe)

What the avcheck says here?   Does it complains?  I suspect it does,
and you not tell me about this.

The "0\1" is 0x0130, not a valid resoponse code if I understand things correctly.
Note also that according to their source, it seems their client will expect to see
a 4-bytes length of some string daemon want to send next, but I see zero here (next
write).  Well ok.

What is your InfectedAction setting in defUnix.prf?  It should be 0. I highly
suspect that your settings uses different value.  Daemon will try to ask if it
should desinfect a file with the default setting (it can't desinfect mail messages
anyway).  And -- Have your daemon loaded it's bases?

Regards, 
 Michael.