[exim] Virus scanning with Sophos Sweep

Top Page
Delete this message
Reply to this message
Author: Christian Schmidt
Date:  
To: exim-users
Subject: [exim] Virus scanning with Sophos Sweep
Dear exim-users,

I'm just doing some experiments with exim (4.34, including the
exiscan-acl patch) on a Debian Sarge System.
It seems I can't get Sophos Sweep to work together with exim.
Whenever I submit a message containing the EICAR test string, sweep is
started (as top tells me), but exim accepts and delivers the mail.

When switching to the f-prot scanner, it is rejected at SMTP time -
just as I configured it.

For the activation of f-prot, I'm using the line
    av_scanner = cmdline:/usr/bin/f-prot %s:Infection:Infection. (.+)$
in my exim.conf, and for trying out Sophos, I changed it to
    av_scanner = cmdline:/usr/local/bin/sweep -all -rec -archive %s:found:'(.+)'
according to the exiscan docs.


When running sweep manually, the EICAR test signature is detected:
>>> Virus 'EICAR-AV-Test' found in file /home/christian/Downloads/eicar.com


And here's what happens when feeding the EICAR test string to exim
with the Sophos scanner activated:

christian@server|6:~/Downloads$ swaks -l swaksrc
=== Trying localhost:825...
=== Connected to localhost.
<- 220 server.linau.de ESMTP Exim 4.34 Sun, 28 Nov 2004 17:18:51 +0100
-> EHLO server.linau.de
<- 250-server.linau.de Hello localhost [127.0.0.1]
<- 250-SIZE 10485760
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> MAIL FROM:<me@???>
<- 250 OK
-> RCPT TO:<me@???>
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with "." on a line by itself
-> [EICAR-SIGNATURE]
-> .
<- 250 OK id=1CYRlD-0002uI-D7
-> QUIT
<- 221 server.linau.de closing connection
=== Connection closed by foreign host.

After "submitting" the string within the DATA command, it takes a
while until exim reports OK followed by the message ID.

Same procedure with f-prot activated:

christian@server|6:~/Downloads$ swaks -l swaksrc
=== Trying localhost:825...
=== Connected to localhost.
<- 220 server.linau.de ESMTP Exim 4.34 Sun, 28 Nov 2004 17:22:06
+0100
-> EHLO server.linau.de
<- 250-server.linau.de Hello localhost [127.0.0.1]
<- 250-SIZE 10485760
<- 250-PIPELINING
<- 250-STARTTLS
<- 250 HELP
-> MAIL FROM:<me@???>
<- 250 OK
-> RCPT TO:<me@???>
<- 250 Accepted
-> DATA
<- 354 Enter message, ending with "." on a line by itself
-> [EICAR-SIGNATURE]
-> .
<** 550 This message contains malware (EICAR_Test_File)
-> QUIT
<- 221 server.linau.de closing connection

The result 550 returns much faster than with Sophos instead...

Has anyone got a glue why Sophos doesn't recognize the EICAR test
signature when invoked by exim?

Thanks in advance,
Christian Schmidt
-- 
Engel? Geflügel für Menschenfresser.
        -- Stanislaw Jerzy Lec (eig. S. J. de Tusch-Letz)