Hello all,
I'm at wits-end trying to get exiscan 4.10-13 working. When I send
myself an infected message either locally or from a remote host the
message is scanned, but is still delivered.
Here are my exiscan_ options from my config file:
# Exiscan globals
exiscan_condition = 1
exiscan_crypt_salt = ff
exiscan_unpack_mime = true
exiscan_timeout = 5m
# exiscan antivirus options
exiscan_av_condition = 1
exiscan_av_action = reject
exiscan_av_scanner = cmdline
exiscan_av_scanner_regexp_trigger = Found
exiscan_av_scanner_regexp_description = (virus .*) in
exiscan_av_scanner_path = /opt/iscan/vscan
exiscan_av_scanner_options = -a -za -r -u -sd -y5 |
Now the really strange part is the exim runs the scanner, the virus is
detected but exim acts like the virus regexp was not detected. I
created a wrapper that copies the scandir + scanner output to /tmp.
This is the output from the scanner:
Virus Scanner v3.1, VSAPI v5.500-0829
Trend Micro Inc. 1996,1997
Pattern version 341
Pattern number 47101
Configuration: -a -za -r -u -sd -y5
Directory /var/spool/exim/scan/17mdd4-0004Sq-00
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete
check compressed file:width.scr
decompress ok:width.scr
*** Found virus WORM_KLEZ.H in file
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete
*** 1 width.scr in
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete(type
Mime Base 64)
/var/spool/exim/scan/17mdd4-0004Sq-00/textfile0
/var/spool/exim/scan/17mdd4-0004Sq-00/textfile1
/var/spool/exim/scan/17mdd4-0004Sq-00/width.scr
*** Found virus WORM_KLEZ.H in file
/var/spool/exim/scan/17mdd4-0004Sq-00/width.scr
/var/spool/exim/scan/17mdd4-0004Sq-00/textfile2
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-scanner_output
==============================
Directory:
Searched : 1
File:
Searched : 6
Scan : 6
Infected : 2
Infected : 2(Include files been compressed)
Time:
Start : 9/4/02 13:07:46
Stop : 9/4/02 13:07:46
Used : 00:00
I thought it might be my regexp so I tried just 'Virus' hoping to catch
the first line of scanner output regardless if a virus is found or not.
No luck. Exim is running as mail.mail and has permissions to everything
under /var/spool/exim. Any thoughts or simular problems?
Thanks,
-Jeremy