[Qmail-scanner-general]sophos sweep can not find virus from qmail-queue-scanner.pl

Alexander Galitski Mon, 23 Jun 2003 06:20:21 -0700

Hello [EMAIL PROTECTED],

short: sophos sweep started from qmail-scanner-queue.pl doesn't
actually scan attachments and can't catch a virus. what can it be ?


  i installed qmail-scanner 1.16 with sophos sweep. time passed and i
  thought that they work great together but i received a virus by
  e-mail and started looking through log-files and that's what i seen:
====================
>here it starts
06/06/2003 03:40:04:21842: +++ starting debugging for process 21842 by uid=508 at 
06/06/2003 03:40:04
06/06/2003 03:40:04:21842: setting UID to EUID so subprocesses can access files 
generated by this script
06/06/2003 03:40:04:21842: program name is qmail-scanner-queue.pl, version 1.16
06/06/2003 03:40:04:21842: incoming SMTP connection from via smtp from 212.19.2.83
06/06/2003 03:40:04:21842: w_c: mkdir 
/var/spool/qmailscan/ns2.gidro-service.ru105485640442621842
06/06/2003 03:40:04:21842: w_c: start dumping incoming msg into 
/var/spool/qmailscan/working/tmp/ns2.gid
ro-service.ru105485640442621842 [1054856404.47056]
06/06/2003 03:40:04:21842: w_c: rename new msg from 
/var/spool/qmailscan/working/tmp/ns2.gidro-service.r
u105485640442621842 to 
/var/spool/qmailscan/working/new/ns2.gidro-service.ru105485640442621842 [10548564
05.0149]
06/06/2003 03:40:04:21842: d_m: starting /var/qmail/bin/reformime  
-x/var/spool/qmailscan/ns2.gidro-serv
ice.ru105485640442621842/ 
</var/spool/qmailscan/working/new/ns2.gidro-service.ru105485640442621842 [1054
856405.0154]
06/06/2003 03:40:04:21842: d_m: finished /var/qmail/bin/reformime  
-x/var/spool/qmailscan/ns2.gidro-serv
ice.ru105485640442621842/ [1054856405.03304]
06/06/2003 03:40:04:21842: d_m: Checking all attachments to see if they're MS-TNEF
06/06/2003 03:40:04:21842: d_m: is 
/var/spool/qmailscan/ns2.gidro-service.ru105485640442621842/105485640
5.21845-0.ns2.gidro-service.ru is a TNEF file?: 256 [1054856405.03591]
06/06/2003 03:40:04:21842: d_m: is 
/var/spool/qmailscan/ns2.gidro-service.ru105485640442621842/g1.cdr.ex
e is a TNEF file?: 256 [1054856405.03866]
06/06/2003 03:40:04:21842: d_m: Manually unpack any zip files as some virus scanners 
don't do zip under 
Unix!
>here we see the file with virus "g1.cdr.exe"
06/06/2003 03:40:04:21842: d_m: potential zip archive file found (g1.cdr.exe).
06/06/2003 03:40:04:21842: d_m: it is possibly a zip file, run unzip -Pxxxxx -t 
/var/spool/qmailscan/ns2
.gidro-service.ru105485640442621842/g1.cdr.exe
06/06/2003 03:40:04:21842: d_m: not a recognisable zip file (Archive:  
/var/spool/qmailscan/ns2.gidro-se
rvice.ru105485640442621842/g1.cdr.exe
  End-of-central-directory signature not found.  Either this file is not
  a zipfile, or it constitutes one disk of a multi-part archive.  In the
  latter case the central directory and zipfile comment will be found on
  the last disk(s) of this archive.
unzip:  cannot find zipfile directory in one of 
/var/spool/qmailscan/ns2.gidro-service.ru105485640442621
842/g1.cdr.exe or
        /var/spool/qmailscan/ns2.gidro-service.ru105485640442621842/g1.cdr.exe.zip, 
and cannot find /var
/spool/qmailscan/ns2.gidro-service.ru105485640442621842/g1.cdr.exe.ZIP, period.
)
06/06/2003 03:40:04:21842: d_m: unpacking message took 0.027747 seconds
06/06/2003 03:40:04:21842: unsetting QMAILQUEUE env var
06/06/2003 03:40:04:21842: g_e_h: return-path is "[EMAIL PROTECTED]", recips is 
"[EMAIL PROTECTED]
-service.ru"
06/06/2003 03:40:04:21842: from= "=?koi8-r?b?4S7sLg==?= =?koi8-r?b?IOvMwNTexc7R?=" 
<[EMAIL PROTECTED]
.com>,subj= Re: [Comm] apt-get, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via 
smtp f
rom 212.19.2.83
06/06/2003 03:40:04:21842: ini_sc: start scanning
06/06/2003 03:40:04:21842: p_s: starting scan of directory 
"/var/spool/qmailscan/ns2.gidro-service.ru105
485640442621842"...
06/06/2003 03:40:04:21842: p_s:  '.ade' = '0' = '.ade - файлы этого типа не разрешены 
для пересылки на с
ервер ns2.gidro-service.ru (server ns2.gidro-service.ru doesn't accept files of this 
type)'
06/06/2003 03:40:04:21842: p_s: type is a size!
>i'll skip all this repeating strings about disallowed file types and
>all other perlscanner stuff
>[ perlscanner skipped]
06/06/2003 03:40:04:21842: p_s: skipping auto-generated file 
1054856405.21845-0.ns2.gidro-service.ru
06/06/2003 03:40:04:21842: p_s: checking g1.cdr.exe against perlscanner database...
06/06/2003 03:40:04:21842: p_s: file g1.cdr.exe is lowercased to g1.cdr.exe and has 
extension .exe
06/06/2003 03:40:04:21842: p_s: compare g1.cdr.exe against perlscanner database
06/06/2003 03:40:04:21842: p_s:  finished scan of dir 
"/var/spool/qmailscan/ns2.gidro-service.ru10548564
0442621842" in 0.008319 secs
06/06/2003 03:40:04:21842: ini_sc: recursively scan the directory 
/var/spool/qmailscan/ns2.gidro-service
.ru105485640442621842/
06/06/2003 03:40:04:21842: scanloop: starting scan of directory 
"/var/spool/qmailscan/ns2.gidro-service.
ru105485640442621842"...
>here sweep starts
06/06/2003 03:40:04:21842: sweep: starting scan of directory 
"/var/spool/qmailscan/ns2.gidro-service.ru1
05485640442621842"...
06/06/2003 03:40:04:21842: run  /usr/local/bin/sweep -f -all -eec -sc -nc -ss -nb 
-archive  /var/spool/q
mailscan/ns2.gidro-service.ru105485640442621842  2>&1
> it returns EMPTY output!!
06/06/2003 03:40:04:21842: --output of sophos sweep was:
--
>no virus found
06/06/2003 03:40:04:21842: sweep: finished scan of dir 
"/var/spool/qmailscan/ns2.gidro-service.ru1054856
40442621842" in 0.503162 secs
06/06/2003 03:40:04:21842: scanloop: finished scan of 
"/var/spool/qmailscan/ns2.gidro-service.ru10548564
0442621842"...
06/06/2003 03:40:04:21842: ini_sc: scanning message took 0.512156 seconds
06/06/2003 03:40:04:21842: q_r: fork off child into /var/qmail/bin/qmail-queue...
>everything is clear !?! ... there's bugbear inside!!
06/06/2003 03:40:04:21842: qmail-scanner[21842]: Clear: 1.086824 99466 [EMAIL 
PROTECTED] triton-s
[EMAIL PROTECTED] _Re:_[Comm]_apt-get <[EMAIL PROTECTED]> 1054856405.21845-0.ns2.gidro-
service.ru:1098 g1.cdr.exe:72192
06/06/2003 03:40:04:21842: cleanup: /bin/rm -rf 
/var/spool/qmailscan/ns2.gidro-service.ru105485640442621
842/ /var/spool/qmailscan/working/new/ns2.gidro-service.ru105485640442621842
06/06/2003 03:40:05:21842: all finished. Total of 1.142822 secs
====================

when i extracted the file and tested command sweep with the same keys
it said that there's w32/bugbear-dam ... why it can't see it while run
from the qmail-scanner script? i tried inserting some debug in
script(besides i do not know perl at all) and seen that files are
actually in the right place - sweep is really scanning them but it
places no output to the script ... tried some other things and nothing
works ... so i'm stuck with it and am asking for your help if you know
what can it be and how it can be repaired 

---
with best regards, Alexander Galitski([EMAIL PROTECTED])
Gidro-Service, http://www.gidro-service.ru/
phone: 8(095)105-7567



-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

[Qmail-scanner-general]sophos sweep can not find virus from qmail-queue-scanner.pl

Reply via email to