[Exim] exiscan and DrWeb daemon client

Top Page
Delete this message
Reply to this message
Author: sharun
Date:  
To: exim-users
Subject: [Exim] exiscan and DrWeb daemon client
exim-4.10, last exiscan, drweb 4.29.

1. Launch drweb daemon
2. Save infected message from mutt
3. Test with drwebdc. Woah! Virus found
4. Doing modification of exim.conf:
# Exiscan options ========================
exiscan_condition = \
    ${if or {{eq{$received_protocol}{esmtp}} \
             {eq{$received_protocol}{smtp}}}  \
             {1}{0} }
exiscan_crypt_salt = Ps
exiscan_unpack_mime = false
exiscan_av_condition = 1
exiscan_av_action = reject
exiscan_av_scanner = cmdline
exiscan_av_scanner_path = /usr/local/drweb/bin/drwebdc
exiscan_av_scanner_options = -h -rv -q -f|
exiscan_timeout = 60s
exiscan_av_scanner_regexp_trigger = infected with
exiscan_av_scanner_regexp_description = 'infected with (.*)'
# ================ End of exiscan options


I resend infected attachments thru .forward on remote MTA back to myself,
but no luck: exiscan-drwebdc says Ok for those mails. Another test
(I send mail to host without listener on tcp/25) and drwebdc'ed
(manualy) -D file in exim spool - test was positive (virus was found).
Second - I found some bugs in exiscan - first with DoubleCR.XX, and second
with some mailing-list in .DE
First (doublecr) - wrong detection of exploit, resulting in garbage in maillog.
Second (mailing-list) - unknown bug in exiscan, that take down exim with
signal 11, resulting in garbage in $EXIMSPOOL/scan and $EXIMSPOOL/incoming.

--
VVS56-RIPE