[Avcheck] Problem (what else?)
Milan P. Stanic
mps@rns-nis.co.yu
Mon, 27 Aug 2001 17:30:22 +0200 (CEST)
On 26-Aug-2001 Michael Tokarev wrote:
[...]
>> ps au | grep Avp gives:
>> avpd 2013 0.0 0.1 4504 56 ? S 21:04 0:00 /AvpDaemon -dl -f=/ctl
>> /tst
>
> This all looks ok.
Fine.
>> and excerpt from mail.log
>> ----------------------------
>> Aug 26 21:19:04 dl postfix/qmgr[2310]: 607E617BFD:
>> from=<mps@rns-nis.co.yu>, size=597, nrcpt=1 (queue active)
>> Aug 26 21:19:04 dl postfix/smtpd[2319]: disconnect from
>> localhost[127.0.0.1]
>> Aug 26 21:19:04 dl postfix/pipe[2315]: 641C217B3B:
>> to=<mps@rns-nis.co.yu>,
>> relay=avcheck, delay=38, status=sent (dl.rns-nis.co.yu)
>> Aug 26 21:19:04 dl postfix/local[2321]: 607E617BFD:
>> to=<mps@rns-nis.co.yu>,
>> relay=local, delay=0, status=sent (mailbox)
>> ----------------------------------------
>>
>> I don't understand why postfix sends it to the "local" relay?
>
> You posted somewhat incomplete log. We see here two messages (actually
Log is complete because I cleaned it before sending test message. And these
lines are only relevant ones.
> second one is reinjected back first) -- with ids 607E617BFD and
> 607E617BFD. 607E617BFD sent to local mailbox (where it should be
> delivered? I suppose it is your local domain, is it?) -- but it was
Yes, I'm using single machine for testing, but it should work because I'm
sending mail over smtp.
> already checked -- it was 641C217B3B before. And 641C217B3B was
> successefully "sent" to avcheck. Order of lines is somewhat strange,
> yes, but this is normal.
[...]
> This is not good. It is not necessary to hack avcheck at all: all
> situations it can't handle it will log via postfix's mechanisms. This
> includes unexpected result codes and any other things. If AvpDaemon
> returns something strange, mail will be *deferred*, with message
> describing that, and the same message will be logged by postfix's
> pipe(8) agent. From log above I guess (there is no real evidience)
> that a message sent to mps@rns-nis.co.yu was successefully checked.
> Now, when you modified avcheck, it want' work... Strange, yes? ;)
With unmodified avcheck I didn't have any idea what can be wrong. When I
added syslog support I could see that avcheck works and that it communicates
with AvpDaemon. And I liked idea to see its state during execution.
> First, you said that your modified avcheck logs "unexpected return
> code", but not provided what code it received. I strongly suggest
> you to use unmodified one -- all required info will be available
> anyway (no, I don't want to say that you did some bad things with
> code, but it was just unnecessary, and a *possible* source for other
> errors). And then post message it logs (or reason for deferred mail
> message).
No. I mean that I modified avcheck to test it. Logs and configs posted here
was with unmodified avcheck.
> Next, it is better to actually test your configuration manually.
> The procedure described inside avcheck tarball.
As I said, I did it right as it is described in README.AVP. Until that all
works as expected (and described). When I give the next command:
/var/spool/avp/uchroot -u avpc / /var/spool/avp/avcheck -n -f root -d
/var/spool/avp/./tst -s avp:/var/spool/avp/ctl/AvpSocket root < eicar.txt
I got the line:
Message didn't pass the virus check: infected: EICAR-Test-File
So far, so good.
But, when I tried to setup postfix (as described in README.Postfix) it does
not work.
Ralh Hildebrandt pointed me to try ziped EICAR.TXT. Well, I ziped
eicar.txt and send it. And surprise, postfix+avcheck+AvpDaemom detected
virus.
So the new question is: Why it detects virus in ziped file but not if I
send the same file as text?
Milan
----------------------------------
OSS, IT Security
Consulting and Management
----------------------------------