[Avcheck] avcheck problem

Marek Bialoglowy ultor@systemintegra.com
Thu, 23 Jan 2003 19:06:55 +0700 

Hello,

> With expired key, KAV will NOT function in daemon mode, as long as I
remember.
> This is why there is no way to test KAV before purchasing a key.  But you
> may have another problem too.

This is actually critical problem. If I will forget about key expiration
POSTFIX will just stop sending mail and it's quite possible that some mail
will be lost. I think there should be some prevention for this situation in
avcheck.

> > avcheck: unexpected AVP return code 64 (0x0140) (kavdaemon av bases not
> > found)
>
> For this, please post your KAV's config from /var/spool/avp.

Well, here is the configuration:

root@mail:/var/spool/avp# cat AvpUnix.ini
[AVP32]
DefaultProfile=./etc/defUnix.prf

[Configuration]
KeysPath=/
SetFile=/bases/avp.set
BasePath=/bases
SearchInSubDir=No


root@mail:/var/spool/avp# ls -al
total 4485
drwxr-xr-x   12 root     root         1024 Jan 22 22:59 .
drwxr-xr-x   13 root     root         1024 Dec  6 23:05 ..
-rw-r--r--    1 root     root          126 Jan 22 23:04 AvpUnix.ini
-rw-r--r--    1 root     root         1448 Dec  6 18:13 UnixKey.key
-rwxr-xr-x    1 root     root        30480 Dec  6 21:00 avcheck
drwxr-xr-x    2 root     root         1024 Jan 22 22:43 bases
drwxr-x---    2 avdaemon avgroup      1024 Jan 23 15:34 ctl
drwxr-xr-x    2 root     root         1024 Dec  6 20:24 dev
-rw-r--r--    1 root     root         1118 Dec  6 21:00 eicar.msg
-rw-r--r--    1 root     root           68 Dec  6 21:00 eicar.txt
drwxr-xr-x    2 root     root         1024 Dec  6 21:12 etc
-rwxr-xr-x    1 root     root         8395 Dec  7 15:40 infected
-rwxr-xr-x    1 root     root         3581 Dec  6 21:00 infected.ex1
-rwxr-xr-x    1 root     root         8383 Dec  7 15:38 infected.ex2.en
-rwxr-xr--    1 root     root       763612 Dec  6 18:08 kavdaemon
-rwxr-xr-x    1 root     root         1582 Dec  6 18:08 kavdaemon.sh

[...]

drwxr-xr-x    2 root     root         1024 Dec  6 21:17 lib
-rwxr-xr-x    1 root     root        45408 Dec  6 23:16 ls
drwxr-xr-x    2 root     root         1024 Dec  6 20:24 proc
drwx------    2 avdaemon root         1024 Jan  9 12:02 tmp
drwxr-x---    2 avclient avgroup      1024 Jan 23 18:54 tst
-rwxr-xr-x    1 root     root        16429 Dec  6 20:58 uchroot
-rwxr-xr-x    1 root     root         1371 Dec  6 18:08 webupdater.sh


It used to work before and I don't remember changing anything.

> > root@mail:/var/spool/avp# /var/spool/avp/avcheck -f root -d
> > /var/spool/avp/tst -s avp:/var/spool/avp/ctl/AvpCtl root < eicar.msg
> > avcheck: unexpected AVP return code 65 (0x0141) (kavdaemon av bases not
> > found)
>
> Hmm.  Why avcheck does not complain about being run as root? ;)

It's just for test :) I start AVPd from:

# $Id: rc.avpd,v 1.5 2002/01/10 12:28:01 mjt Exp $

> But anyway, this variant of it's execution will not work due to
> permission problem: KAV will not be able to read temp files
> avcheck will write - wrong gid.

Hmmm ... could be, but I think configuration is fine.

> [snip good results]
>
> Hmm.  Did it work before?  Too bad I don't remember how KAV
> daemon reacts to absence of a valid key...

Yes is worked. I've seen some posts wher ppl claim that it should work but
in demo mode.

> > Would it be related to expiration of my key ?
>
> Well, may be as one possibility.  Or something is wrong with
> the config, so chrooted kavdaemon is really unable to find
> it's bases.

I'll still trying to find the cause of the problem until I'll have a new
key.

Thank you.

Best Regards,

 Marek Bialoglowy [mb@systemintegra.com] [Information Security Consultant]
 GROUP: HERT (hert.org) -- PGP: http://www.systemintegra.com/pgp/ultor.asc
 JOB: (CTO) System Integra -- Jakarta, Indonesia -- Timezone: JAVT, GMT +7