[Avcheck] Virus warning message

[Michael Tokarev]

Nacho Ruiz wrote:
> 
> Hi Michael ,
> I sent the eicar.msg attached in your package, with the command
> mail nax@hermetik.isoco.com < eicar.msg
[]
> relay=avcheck, delay=0, status=bounced (service unavailable. Command output:
> Message didn't pass the virus check: Infected by a virus )

Ok, I see.  This is *strange*.  I think you should try executing
kavscanner manually to see what *it* will shouw you.
Another variant is to start a "normal" daemon (as described
in avp docs) and use their demo daemon client -- again, giving
it the same file and looking to it's output.  If those methods
will show some more info (or any at all), then something is
wrong between avcheck and kavdaemon.  Maybe them changed a
protocol?

Another variant is to try executing avcheck itself manually.
For this,

 copy avcheck into /tmp

 create shell script /tmp/infected that contains twp commands:
  #! /bin/sh
  echo "$2"
  rm -f "$1"
 and make it executable (chmod +x /tmp/infected)

 copy eicar.msg into /tmp as well (for simplicitly)

 and finally, run this command as root (or as avpc user,
 omit first line in this case -- it acts just like `su'
 command):

  /var/spool/avp/uchroot -d /tmp -u avpc / \
    ./avcheck -tAVP -d/var/spool/avp/./tst \
    -s/var/spool/avp/ctl/AvpCtl -S :1025 \
    -f YOU YOU < eicar.msg

If this method will not display proper "infected by EICAR-TEST-FILE"
message, then add "strace -o avcheck.trc" before "./avcheck -t..",
and send me that avcheck.trc file (gzipped) or place it somewhere
to ftp/www area -- I'll look to this.

BTW, the above procedure (without final stage -- sending me
strace output! ;) can be used for debugging and/or testing
(a good candidate for doc).  The same can be done with infected
script itself:  I personally use
  ./infected /dev/null "antivirus message" mjt mjt
(NOT as root!!!) to test it before actual use.  It will
complain that it can't remove /dev/null, this is normal.

For now, I have no ideas what's doing wrong.
[]

Regards,
 Michael.