[Avcheck] Antivirus with Postfix and DrWeb

[Michael Tokarev]

I'm sorry I was away from my mail for the whole day.
BTW, do you subscribed to the list?

Nicolai Strøm Gylling wrote:
> 
> Hi
> 
> I'm trying to configure Postfix with the DrWeb antivirus scanner, using
> AVCheck to pipe the mails to the scanner.
> 
> My current setup doesn't complain in any way(it delivers mail and everything
> *seems* to work, Avcheck adds a X-AV header), but I can't get it to detect
> the Eicar testmail(gzipped or not). I'm running both in chrooted enviroment,
> as suggested in the docs.
> 
> When running the test supplied with AVCheck, injecting the eicar.msg, I don't
> get any response, with no log-entries anywhere. I've set DrWeb to log as much
> as I can, but nothing shows up there.
> 
> My postfix master.cf:
> 
> localhost:1025  inet n       -      n      -       - smtpd -o content_filter=
> smtp      inet  n       -       n       -       -       smtpd -o content_filter=avcheck
> avcheck    unix -       n      n      -       5      pipe
>         flags=q user=avclient argv=/usr/local/avcheck/avcheck
>         -d /var/spool/drwebtest -h Webpartner -s DrWeb:/usr/local/drweb/run/sock
>         -f ${sender} -S :1025 -- ${recipient}
> 
> Could anyone guide me to where the problem might be, or how I could enable
> more logging, since I find it pretty hard to get any further, when I get
> no errors or the likes in return to my attempts.


First of all, some points, mostly answering to other folks who already
answered today.

o DrWeb requires a key -- without a key, it will NOT detect ANYTHING.

o Evaluation key as distributed with drweb WORKS.  With eval key, drweb
  can't decompress zip, tar, etc archives, but WILL detect "plaintext"
  viruses in mails -- that is, when a virus body is within MIME structure
  (NOT inside archive).  Eicar.msg file, as distributed with avcheck,
  MUST be detected by drweb (this is how eval drweb differs from eval
  avp: avp will not "demime" any mails).  Note that this allows to stop
  almost all today's virus attacks targetting outlook and co -- WITHOUT
  any money for DrWeb authors (as already pointed out by Sergey).

o drwebdc will not work with chrooted drweb.  (Sergey: Hint! ;).  This is
  because drwebd running in chroot jail should see translated filenames,
  e.g. /var/spool/drweb/tst/file -> /tst/file.  I know only one client
  that does such translation: it is avcheck ;).  This is why you should
  specify drweb's socket as /var/spool/drweb/./run/sock (note /./ component).

o any errors detected during avcheck+drweb operations will be logged
  properly.  Note that drweb, unlike avp, actually pays good attention
  to any error conditions (avp just ignores any errors returning success).
  Errors from drwebd side may be like unable to open file that should be
  scanned, unable to read the file, unable to allocate memory and so on
  (all those conditions reported as success by avp).  From avcheck's side,
  errors are (of interest here): unable to connect to drweb (it it isn't
  running or something configured incorrectly), unable to save file, unable
  to resend mail, and unexpected return code from virusscanner.  All those
  errors result in deferral with proper logging.  If you see no errors
  in the logs, it means that no error was *detected*, so it is useless
  to try to increase *error* logging.  You may want to increase drweb's
  logging -- play some games with it's config and restart it (LogScanned=yes,
  LogPacked=yes etc).  Log will be in /var/spool/drweb/$LogFileName, as
  specified in drweb.ini.

  Well, I not checked *all* possible errors that can be occured at drwebd's
  side, and especially I didn't tested it heavily with eval key (may be
  it's time to do so).  But all errors that actually occured was handled
  by drwebd pretty good, and I expect (almost) the same for other places
  too.

This is a summary.  Now back to you problem.

Reading all this thread, I see no reason for avcheck+drweb to show this
bad behaviour.  All looks good.  And this all works with great success
at several servers.

First of all, did you tried instructions outlined in README.DrWeb,
part about manually running avcheck before plugging it into mail
subsystem?  Running it manually eliminates one software level.
This way, it is far easier to debug things.  Well, there is no
debugging options in avcheck (I never considered this is a requiriment).
But if you'll run it manually, you will be able to strace it too,
and see avcheck <=> drwebd dialog.

Please, post your complete drweb.ini file here, and a message you
used for testing.  Note that our server (powered by drweb!) may
reject eicar (even if sent inside plaintext body), so you may want
to either change it *in a known way* or post an url instead, or
post in within password-protected .zip file (with password in the
message!).  Also, it will be interesting to see avcheck<=>drweb
dialog in strace.  For this, add `strace -o trace' before a
command described in README.DrWeb file (that uchroot .. avcheck ...
thingie).

I'm very interested to know what's the problem.  Setup you described
should work, or some error condition should be logged.  And I don't
want you made some obvious mistake... ;)

I'm sorry for this long post and for long delay with answer.

Regards,
 Michael.