[Avcheck] avcheck problem

Michael Tokarev avcheck <avcheck@corpit.ru>
Thu, 23 Jan 2003 15:39:20 +0300 

Marek Bialoglowy wrote:
> Hello,
> 
>>With expired key, KAV will NOT function in daemon mode, as long as I
> remember.
>>This is why there is no way to test KAV before purchasing a key.  But you
>>may have another problem too.
> 
> This is actually critical problem. If I will forget about key expiration
> POSTFIX will just stop sending mail and it's quite possible that some mail
> will be lost. I think there should be some prevention for this situation in
> avcheck.

Well, I don't know what is better.  After you installed an AV scanner, your
users (and you) will feel safe.  Postfix keeps email in queue for quite some
time (a week by default) - so you have a week to notice absence of email and
to fix a problem - in this case, either by temporarily disabling scanner
(AND notifying your users), or by renewing license.

If the real cause of the problem is expired key, then there is no way for avcheck
to distinguish between this situation and some (temporary) error condition that
should be fixed (i.e. a typo in kav's configuration preventing kavdaemon to find
it's bases).  DrWeb uses separate return code to indicate "demo version error",
kav - it seems - hasn't.

>>>avcheck: unexpected AVP return code 64 (0x0140) (kavdaemon av bases not
>>>found)
>>
>>For this, please post your KAV's config from /var/spool/avp.
> 
> Well, here is the configuration:

It looks nice.

> It used to work before and I don't remember changing anything.

You may just try it: reset date on your host so key will look
non-expired, and send something.  If it will work, when the problem
is with expired key...  I think this is the best option for now -
because f.e. I don't have a time to install kav again to see what's
going on, unfortunately.

>>>root@mail:/var/spool/avp# /var/spool/avp/avcheck -f root -d
>>>/var/spool/avp/tst -s avp:/var/spool/avp/ctl/AvpCtl root < eicar.msg
>>>avcheck: unexpected AVP return code 65 (0x0141) (kavdaemon av bases not
>>>found)
>>
>>Hmm.  Why avcheck does not complain about being run as root? ;)
> 
> It's just for test :) I start AVPd from:

I understand. ;)

>>But anyway, this variant of it's execution will not work due to
>>permission problem: KAV will not be able to read temp files
>>avcheck will write - wrong gid.
> 
> Hmmm ... could be, but I think configuration is fine.

That is - when you're running it with gid != avgroup, it will
create files in /var/spool/avp/tst unreadable by kavdaemon.
When you run it as root, you gid is unlikely to be avgroup.
Running it as avclient user (which primary gid is avgroup)
is fine.

>>[snip good results]
>>
>>Hmm.  Did it work before?  Too bad I don't remember how KAV
>>daemon reacts to absence of a valid key...
> 
> Yes is worked. I've seen some posts wher ppl claim that it should work but
> in demo mode.

No, it does not work in demo mode since version 3.0.something.
I used to keep that version somewhere - especially for folks
who wants to try it (thanks kaspersky ppl for this), but now
it wan't work anymore.

>>>Would it be related to expiration of my key ?
>>
>>Well, may be as one possibility.  Or something is wrong with
>>the config, so chrooted kavdaemon is really unable to find
>>it's bases.
> 
> I'll still trying to find the cause of the problem until I'll have a new
> key.

Your config seems to be fine.  Try changing system time - if kav will
work after that, the problem is found (but not solved).  If not - well,
we'll see...

/mjt

P.S. Website incorrectly claims that avcheck mailinglist is open to
non-subscribers.  I was forced to restrict it to subscribers because
of spam problems.  I'll fix the site.  That is - every your post gets
approved by me manually... ;)