I know this is an older thread.
Today I attempted to use uvscan as listed in this thread. While uvscan is
detecting and cleaning or erroring on the virus, sanitizer is returning a
non-zero return code, and procmail is interpreting it as a program failure.
At that point, it recovers the prefiltered mail, and sends the attachment
uncleaned.
The log entry states:
Sanitizer (start="1029362944"):
Part (pos="1020"):
SanitizeFile (filename="unnamed.txt", mimetype="TEXT/PLAIN"):
Match (rule="2"):
Enforced policy: accept
Part (pos="1113"):
SanitizeFile (filename="eicar2.zip", mimetype="APPLICATION/zip"):
Match (rule="3"):
ScanFile (file="/var/quarantine/att-eicar2.zip-3d5ad500.AH"):
File was infected, the virus checker couldn't fixed it.
Enforced policy: drop
Replaced mime type with: text/plain
Replaced file name with: RENAME_FILE_TO_USE-43960.txt
Total modifications so far: 1
procmail: Program failure (1) of "/usr/local/anomy/bin/sanitizer.pl"
procmail: Rescue of unfiltered data succeeded
My sanitizer config lines which affect scanning:
file_list_3_scanner =
0:19:12,13:/usr/local/bin/uvscan --clean --noexpire --analyze --panalyze --u
nzip %FILENAME
file_list_3_policy = accept:mangle:drop!:save
file_list_3 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
file_list_3 += |class|upd|wp\d?|m?db|snp|vsd
file_list_3 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
file_list_3 += )(\.g?z|\.bz\d?)*\.?$
# uvscan returns 0 clean, 19 infected, but cleaned, 12 or 13 for infected
file_list_4_scanner =
0:19:12,13:/usr/local/bin/uvscan --clean --noexpire --analyze --panalyze --u
nzip %FILENAME
file_list_4_policy = accept:mangle:drop!:save
file_list_4 = ^[^\.]+$
Any thoughts on what I can change so that procmail still receives a returned
zero?
-Rick
-------------------------------------------------------
Rick Johnson, Red Hat Certified Engineer - 50536@xyz.molar.is
Linux/WAN Administrator - Medata, Inc.
----- Original Message -----
From: "Ron 'The InSaNe OnE' Rosson" <50625@xyz.molar.is>
To: "alex morris" <50665@xyz.molar.is>
Cc: <50575@xyz.molar.is>
Sent: Thursday, July 25, 2002 9:50 AM
Subject: Re: [anomy-list]: uvscan with anmomy
Using the bash script below and sending test e-mails here is
what I have:
procmail log output:
procmail: [20487] Thu Jul 25 09:47:09 2002
procmail: Assigning
"PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/local/bin"
procmail: Assigning "SHELL=/bin/sh"
procmail: Assigning "ANOMY=/usr/local/anomy/"
procmail: Executing
"/usr/local/anomy/bin/sanitizer.pl,/usr/local/etc/anomy.conf"
Current procmailrc:
LOGFILE=/var/log/anomy.log
LOGABSTRACT=all
VERBOSE=yes
PATH="/usr/bin:$PATH:/usr/local/bin"
SHELL=/bin/sh
# Call Anomy
ANOMY=/usr/local/anomy/
:0fw
| /usr/local/anomy/bin/sanitizer.pl /usr/local/etc/anomy.conf
Virus scanner is still not kicking off so to speak.
Any Ideas?
TIA
On Wednesday, July 24, 2002 at 21:34:40, alex morris wrote:
> The only way to know what is going on is to somehow trap the exit codes
> from the scanner, and compare them to what you told the sanitizer to do.
>
> I would temporarily eliminate the spam assasin to simplify the problem.
> I would then make a wrapper script around the virus scan command you
> call within the sanitizer to trap the error codes. Something like
>
> /usr/local/bin/uvscan.sh
>
> #!/bin/bash -xv
> bc=$?
> /usr/local/bin/uvscan -c $1
> ac=$?
> echo "before was $bc, after was $ac"
>
> You should now be able to see the exit codes the scanner returns for the
> various conditions.
>
> I would also suggest making your policy
>
> file_list_4_policy = accept:save:save:save
>
> Deleting attachments out of hand isn't the right thing to do, but
> niether is accepting something that is still potentially harmful.
>
> If that doesn't work, you might try changing your command line to use
> the --clean flag instead of just -c, like Geoff suggested.
>
> alex
>
>
> 50625@xyz.molar.is wrote:
>
> > On Wednesday, July 17, 2002 at 13:20:17, Geoff Seeley wrote:
> >
> > ----- Original Message -----
> > From: "Ron 'The InSaNe OnE' Rosson" <50625@xyz.molar.is>
> > To: <50575@xyz.molar.is>
> > Sent: Wednesday, July 17, 2002 11:36 AM
> > Subject: [anomy-list]: uvscan with anmomy
> >
> > Ok Tried that and it is still not working.. So I am going to
> > include the configuration file along with the procmailrc
> > file. Maybe I misread something or missed something.
> >
> > <begin anomy configuration>
> > #
>
-- ---------------------------------------------------------------------------- -- Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * 50625@xyz.molar.is and all was /dev/null and *void() ---------------------------------------------------------------------------- --