[Avcheck] avcheck problem
Marek Bialoglowy
ultor@systemintegra.com
Thu, 23 Jan 2003 19:06:55 +0700
Hello,
> With expired key, KAV will NOT function in daemon mode, as long as I
remember.
> This is why there is no way to test KAV before purchasing a key. But you
> may have another problem too.
This is actually critical problem. If I will forget about key expiration
POSTFIX will just stop sending mail and it's quite possible that some mail
will be lost. I think there should be some prevention for this situation in
avcheck.
> > avcheck: unexpected AVP return code 64 (0x0140) (kavdaemon av bases not
> > found)
>
> For this, please post your KAV's config from /var/spool/avp.
Well, here is the configuration:
root@mail:/var/spool/avp# cat AvpUnix.ini
[AVP32]
DefaultProfile=./etc/defUnix.prf
[Configuration]
KeysPath=/
SetFile=/bases/avp.set
BasePath=/bases
SearchInSubDir=No
root@mail:/var/spool/avp# ls -al
total 4485
drwxr-xr-x 12 root root 1024 Jan 22 22:59 .
drwxr-xr-x 13 root root 1024 Dec 6 23:05 ..
-rw-r--r-- 1 root root 126 Jan 22 23:04 AvpUnix.ini
-rw-r--r-- 1 root root 1448 Dec 6 18:13 UnixKey.key
-rwxr-xr-x 1 root root 30480 Dec 6 21:00 avcheck
drwxr-xr-x 2 root root 1024 Jan 22 22:43 bases
drwxr-x--- 2 avdaemon avgroup 1024 Jan 23 15:34 ctl
drwxr-xr-x 2 root root 1024 Dec 6 20:24 dev
-rw-r--r-- 1 root root 1118 Dec 6 21:00 eicar.msg
-rw-r--r-- 1 root root 68 Dec 6 21:00 eicar.txt
drwxr-xr-x 2 root root 1024 Dec 6 21:12 etc
-rwxr-xr-x 1 root root 8395 Dec 7 15:40 infected
-rwxr-xr-x 1 root root 3581 Dec 6 21:00 infected.ex1
-rwxr-xr-x 1 root root 8383 Dec 7 15:38 infected.ex2.en
-rwxr-xr-- 1 root root 763612 Dec 6 18:08 kavdaemon
-rwxr-xr-x 1 root root 1582 Dec 6 18:08 kavdaemon.sh
[...]
drwxr-xr-x 2 root root 1024 Dec 6 21:17 lib
-rwxr-xr-x 1 root root 45408 Dec 6 23:16 ls
drwxr-xr-x 2 root root 1024 Dec 6 20:24 proc
drwx------ 2 avdaemon root 1024 Jan 9 12:02 tmp
drwxr-x--- 2 avclient avgroup 1024 Jan 23 18:54 tst
-rwxr-xr-x 1 root root 16429 Dec 6 20:58 uchroot
-rwxr-xr-x 1 root root 1371 Dec 6 18:08 webupdater.sh
It used to work before and I don't remember changing anything.
> > root@mail:/var/spool/avp# /var/spool/avp/avcheck -f root -d
> > /var/spool/avp/tst -s avp:/var/spool/avp/ctl/AvpCtl root < eicar.msg
> > avcheck: unexpected AVP return code 65 (0x0141) (kavdaemon av bases not
> > found)
>
> Hmm. Why avcheck does not complain about being run as root? ;)
It's just for test :) I start AVPd from:
# $Id: rc.avpd,v 1.5 2002/01/10 12:28:01 mjt Exp $
> But anyway, this variant of it's execution will not work due to
> permission problem: KAV will not be able to read temp files
> avcheck will write - wrong gid.
Hmmm ... could be, but I think configuration is fine.
> [snip good results]
>
> Hmm. Did it work before? Too bad I don't remember how KAV
> daemon reacts to absence of a valid key...
Yes is worked. I've seen some posts wher ppl claim that it should work but
in demo mode.
> > Would it be related to expiration of my key ?
>
> Well, may be as one possibility. Or something is wrong with
> the config, so chrooted kavdaemon is really unable to find
> it's bases.
I'll still trying to find the cause of the problem until I'll have a new
key.
Thank you.
Best Regards,
Marek Bialoglowy [mb@systemintegra.com] [Information Security Consultant]
GROUP: HERT (hert.org) -- PGP: http://www.systemintegra.com/pgp/ultor.asc
JOB: (CTO) System Integra -- Jakarta, Indonesia -- Timezone: JAVT, GMT +7