[Exim] exim 4.10 + exiscan 4.10-14

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Jeremy Koch
Fecha:  
A: exim-users
Asunto: [Exim] exim 4.10 + exiscan 4.10-14
Hello all,

I'm at wits-end trying to get exiscan 4.10-13 working. When I send
myself an infected message either locally or from a remote host the
message is scanned, but is still delivered.

Here are my exiscan_ options from my config file:

# Exiscan globals

exiscan_condition = 1
exiscan_crypt_salt = ff
exiscan_unpack_mime = true
exiscan_timeout = 5m

# exiscan antivirus options
exiscan_av_condition = 1
exiscan_av_action = reject
exiscan_av_scanner = cmdline
exiscan_av_scanner_regexp_trigger = Found
exiscan_av_scanner_regexp_description = (virus .*) in
exiscan_av_scanner_path = /opt/iscan/vscan
exiscan_av_scanner_options = -a -za -r -u -sd -y5 |

Now the really strange part is the exim runs the scanner, the virus is
detected but exim acts like the virus regexp was not detected. I
created a wrapper that copies the scandir + scanner output to /tmp.
This is the output from the scanner:

Virus Scanner v3.1, VSAPI v5.500-0829
Trend Micro Inc. 1996,1997
    Pattern version 341
    Pattern number 47101
Configuration: -a -za -r -u -sd -y5
Directory /var/spool/exim/scan/17mdd4-0004Sq-00
    /var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete
        check compressed file:width.scr
        decompress ok:width.scr
*** Found virus WORM_KLEZ.H in file
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete
***     1 width.scr in
/var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-complete(type
Mime Base 64)
    /var/spool/exim/scan/17mdd4-0004Sq-00/textfile0
    /var/spool/exim/scan/17mdd4-0004Sq-00/textfile1
    /var/spool/exim/scan/17mdd4-0004Sq-00/width.scr
*** Found virus WORM_KLEZ.H in file
/var/spool/exim/scan/17mdd4-0004Sq-00/width.scr
    /var/spool/exim/scan/17mdd4-0004Sq-00/textfile2
    /var/spool/exim/scan/17mdd4-0004Sq-00/17mdd4-0004Sq-00-scanner_output


==============================
Directory:
    Searched : 1
File:
    Searched : 6
        Scan : 6
    Infected : 2
    Infected : 2(Include files been compressed)
Time:
    Start : 9/4/02 13:07:46
     Stop : 9/4/02 13:07:46
     Used : 00:00


I thought it might be my regexp so I tried just 'Virus' hoping to catch
the first line of scanner output regardless if a virus is found or not.
No luck. Exim is running as mail.mail and has permissions to everything
under /var/spool/exim. Any thoughts or simular problems?

Thanks,

-Jeremy