Interesting problem.
I just got my 4.22 system working with exiscan/sophos and used these
exact same config commands.
Mine works perfectly.
Here is the resultant bounce:
>>>>>>>>>>>>>>>
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
bcsi1@???
(generated from bcsi1@tauron)
SMTP error from remote mailer after end of data:
host tauron.bcsi1.com [207.112.1.41]: 550 This message contains
malware (EICAR-AV-Test)
------ This is a copy of the message, including all the headers. ------
Return-path: <frank@???>
Received: from freya.bcsi1.com ([207.112.1.40] helo=bcsi.ca)
by bcsisco.bcsi1.com with asmtp (Exim 4.201)
id 19xT0p-0005Uc-DX
for bcsi1@tauron; Thu, 11 Sep 2003 11:05:35 -0400
Message-ID: <3F608EE5.5070702@???>
Date: Thu, 11 Sep 2003 11:04:05 -0400
From: "Frank S. Bernhardt" <frank@???>
Reply-To: frank@???
Organization: b.c.s.i.
User-Agent: Mozilla/5.0 (Windows; U; Win95; en-US; rv:1.3.1) Gecko/20030425
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: bcsi1@???
Subject: eicar
Content-Type: multipart/mixed;
boundary="------------060603090706030003020701"
This is a multi-part message in MIME format.
--------------060603090706030003020701
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
-- Regards Frank S. Bernhardt b.c.s.i. 14 Halton Court Markham, ON.
Canada L3P 6R3 905-471-1691 Voice 905-471-3016 FAX frank@???
Registered Linux-User #312398 with the Linux Counter,
http://counter.li.org. --------------060603090706030003020701
Content-Type: text/plain; name="eicar.com" Content-Transfer-Encoding:
7bit Content-Disposition: inline; filename="eicar.com"
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
--------------060603090706030003020701--
<<<<<<<<<<<<<<<
Are you using the latest version of Exim along with the matching exiscan
patch?
I tried using sophie to get the performance bonus but it won't compile
on my SCO Openserver O/S. Neither will Clamav.
But for low volumes of e-mail, the command line interface should be ok.
tlabs wrote:
> Ok, I have been through everything I can possibly think of here with sophos sweep and exim but it just wasnt picking
> the test virus up whasoever.
>
> This was very worrying.
>
> I decided to check out CLAMAV. I installed it and configured exim and an ACL and it worked first time.
> This solves my immediate problem of viruses coming in through mail but it leaves the issue of what was wrong with
> sophos. I replicated someone elses setup exactly for sophos after sending the list the first mail (thanks for that) but
> it just failed to work at all.
>
> This was quite alarming so I guess the next step is to set up a test box and find out why ...
>
> On Fri, Sep 05, 2003 at 05:46:53PM +0100, tlabs wrote:
>
>>Hi list,
>>
>>Im not sure why but exiscan doesnt seem to be scanning mail for viruses
>>from an ACL.
>>
>>Received: from mailnull by mail1.accelerate.uk.com with spam-scanned
>>X-Spam-Score: -12.2 (------------)
>>X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/)
>>*19vJcq-000IxW-Ev*G2GLZZzdGds*
>>X-Spam-Status: No, hits=0.0 required=5.0
>> tests=none
>> version=2.55
>>X-Spam-Level:
>>X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)
>>
>>
>>
>>body of mail:
>>
>>[-- Attachment #2: eicar.com --]
>>[-- Type: application/x-msdos-program, Encoding: quoted-printable, Size:
>>0.1K --]
>>Content-Type: application/x-msdos-program
>>Content-Disposition: attachment; filename="eicar.com"
>>Content-Transfer-Encoding: quoted-printable
>>
>>
>>as you can see this is a test virus to test that ACL's are working.
>>
>>in my conf file I have this:
>>
>>acl_smtp_data = check_message
>>av_scanner = cmdline:\
>> /usr/local/bin/sweep -all -rec -archive %s:\
>> found:'(.+)'
>>
>>
>>and within the ACL check_message I have the following:
>>
>> # Reject virus infested messages.
>> deny message = This message contains malware ($malware_name)
>> demime = *
>> malware = *
>>
>>
>>The virus gets through without any problem whatsoever.
>>
>>Can anyone tell me why it isnt picked up or if perhaps my configuration is
>>wrong, could someone point me in the right direction?
>>
>>many thanks
>>--
>>tlabs tlabs@???
>>-----------------------------------------------
>>#include <beer.h>
>>while(me != horizontal){getpint();drinkpint();}
>>Everyone should believe in something.
>>I believe Ill have another beer!!!!
>>-----------------------------------------------
>>
>>
>>--
>>
>>## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>>
>
>
> --
> tlabs tlabs@???
> -----------------------------------------------
> #include <beer.h>
> while(me != horizontal){getpint();drinkpint();}
> Everyone should believe in something.
> I believe Ill have another beer!!!!
> -----------------------------------------------
>
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
--
Regards
Frank S. Bernhardt
b.c.s.i.
14 Halton Court
Markham, ON. Canada
L3P 6R3
905-471-1691 Voice
905-471-3016 FAX
frank@???
Registered Linux-User #312398 with the Linux Counter,
http://counter.li.org.
