Re: [Qmail-scanner-general]missing occasional virus - log results

McKeever Chris Fri, 05 Dec 2003 11:22:33 -0800

LOG RESULTS below

thanks for your help!



On Thu, 04 Dec 2003 09:52 , Jason Haar <[EMAIL PROTECTED]> sent:

>On Thu, 2003-12-04 at 04:03, McKeever Chris wrote:
>> I am running qmail-scanner with clamav (0.65)
>> I have one machine that acts as a gateway, and then sends it to the main email 
>> server.
>> The gateway is the one with qmailscanner and clamav, the email servers post-MTA 
>> (@mail) has a plugin for clamav which scans the file 
before 
>> databsing it.
>> 
>> I have noticed since 11/4/03 that there are about 2-4 emails per day that get by 
>> the gateway and picked up by the @mail-clamav scan
>> any suggestions? They are typically Exploit.IFrame.Gen and 1 W32/Yaha.g.dam
>> 
>
>Are you running clamscan or clamdscan? (i.e. the daemon version). I bet
>it's the latter.
>
>Do you have the qmail-queue.log debug file that contains evidence of
>such a "missed" message? If not, turn it on and don't stop logging until
>you catch another such occurance. Then you can search that file looking
>for the particular message that "slipped through". At that stage you may
>see why it failed. I'd suspect a bug whereby clamd failed to scan the
>message for some transitory reason, but still exited with a zero error
>status - so Qmail-Scanner can only assume it's OK and carried on.
>
>Let us know what you find.
>

Here is the log of the missed virus, clamscan seems to be returning nothing.
any ideas?


Fri, 05 Dec 2003 05:25:51 -0600:4197: from="Net Delivery Service" <[EMAIL 
PROTECTED]>,subj=Letter, x-qmail-scanner-message-
id=<[EMAIL PROTECTED]> (added by [EMAIL PROTECTED]) via SMTP from 212.216.176.223
Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: start scanning
Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: recursively scan the directory 
/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197/
Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: starting scan of directory 
"/var/spool/qmailscan/tmp/prupref-
mailgate10706235514614197"...
Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: 
scanner=clamscan_scanner,plain_text_msg=0
Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: starting scan of directory 
"/var/spool/qmailscan/tmp/prupref-
mailgate10706235514614197"...
Fri, 05 Dec 2003 05:25:51 -0600:4197: run /usr/local/bin/clamscan -r --disable-summary 
--max-recursion=10 --max-
space=1000000  /var/spool/qmailscan/tmp/prupref-mailgate10706235514614197 2>&1
Fri, 05 Dec 2003 05:25:51 -0600:4197: --output of clamscan was:
--
Fri, 05 Dec 2003 05:25:51 -0600:4197: clamscan: finished scan of dir 
"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in 
0.707525 secs
Fri, 05 Dec 2003 05:25:51 -0600:4197: scanloop: finished scan of 
"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"...
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: starting scan of directory 
"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197"...
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.chm' = '0' = 'CHM files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.exe' = '0' = 'EXE files need to be 
zipped for delivery'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.hlp' = '0' = 'HLP files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.hta' = '0' = 'HTA files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.lnk' = '0' = 'LNK files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.mp3' = '0' = 'MP3 files need to be 
zipped for delivery'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.mpg' = '0' = 'MPG files need to be 
zipped for delivery'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.pif' = '0' = 'PIF files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.reg' = '0' = 'REG files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.scr' = '0' = 'SCR files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.shs' = '0' = 'SHS files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.vbe' = '0' = 'VBE files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.vbs' = '0' = 'VBS files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.wsf' = '0' = 'WSF files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.wsh' = '0' = 'WSH files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '.xla' = '0' = 'XLA files not allowed per 
Company security policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '81:ILOVEYOU' = 'Virus-subject' = 'Love 
Letter Virus/Trojan'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing subject: 
ILOVEYOU
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '82:message/partial' = 
'Virus-content-type' = 'Message/partial MIME attachments blocked by 
policy'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing 
content-type: message/partial
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '83:[EMAIL PROTECTED]' = 'Virus-MAILFROM' 
= 'unknown user - mail has been deferred'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing MAILFROM: 
[EMAIL PROTECTED]
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '86:.{100,}' = 'Virus-date' = 'MIME Header 
Buffer Overflow'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing date: 
.{100,}
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '87:.{100,}' = 'Virus-mime-version' = 
'MIME Header Buffer Overflow '
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing 
mime-version: .{100,}
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  '88:.{100,}' = 'Virus-resent-date' = 'MIME 
Header Buffer Overflow'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing 
resent-date: .{100,}
Fri, 05 Dec 2003 05:25:51 -0600:4197: 
p_s:  '91:[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
port.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
net|[EMAIL PROTECTED]' = 'Virus-to' = 'BadTrans Trojan exploit!'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  type is a header!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  checking for objects containing to: 
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|
[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
change.com|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
net|[EMAIL PROTECTED]
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  'eicar.com' = '69' = 'EICAR Test Virus'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  'happy99.exe' = '10000' = 'Happy99 Trojan'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  'zipped_files.exe' = '120495' = 
'W32/ExploreZip.worm.pak virus'
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: type is a size!
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: skipping auto-generated file 
1070623553.4199-0.prupref-mailgate
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against perlscanner 
database...
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to hranc.bat 
and has extension .bat
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size 106496,239549) 
against perlscanner database
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking dd89999fbfa39541 against 
perlscanner database...
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file dd89999fbfa39541 is lowercased to 
dd89999fbfa39541 and has extension
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare dd89999fbfa39541 (size 4096,303407) 
against perlscanner database
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: checking hranc.bat against perlscanner 
database...
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: file hranc.bat is lowercased to hranc.bat 
and has extension .bat
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s: compare hranc.bat (size 106496,239549) 
against perlscanner database
Fri, 05 Dec 2003 05:25:51 -0600:4197: p_s:  finished scan of dir 
"/var/spool/qmailscan/tmp/prupref-mailgate10706235514614197" in 
0.015334 secs
Fri, 05 Dec 2003 05:25:51 -0600:4197: ini_sc: scanning message took 0.724035 seconds
Fri, 05 Dec 2003 05:25:51 -0600:4197: q_r: fork off child into 
/var/qmail/bin/qmail-queue-bin...
Fri, 05 Dec 2003 05:25:51 -0600:4203: q_r: xstatus=0
Fri, 05 Dec 2003 05:25:51 -0600:4197: cleanup: /bin/rm -rf 
/var/spool/qmailscan/tmp/prupref-
mailgate10706235514614197/ 
/var/spool/qmailscan/working/new/prupref-mailgate10706235514614197
05/12/2003 05:25:54:4197: all finished. Total of 2.198306 secs
Fri, 05 Dec 2003 05:25:55 -0600:4208: +++ starting debugging for process 4208 by 
uid=502 at Fri, 05 Dec 2003 05:25:55 -0600
Fri, 05 Dec 2003 05:25:55 -0600:4208: setting UID to EUID so subprocesses can access 
files generated by this script
Fri, 05 Dec 2003 05:25:55 -0600:4208: program name is qmail-queue, version 1.20
Fri, 05 Dec 2003 05:25:55 -0600:4208: incoming SMTP connection from via SMTP from 
66.28.114.190
Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: mkdir 
/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208
Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: start dumping incoming msg into 
/var/spool/qmailscan/working/tmp/prupref-
mailgate10706235554614208 [1070623555.64228]
Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: primary Content-Type of text/plain found
Fri, 05 Dec 2003 05:25:55 -0600:4208: w_c: rename new msg from 
/var/spool/qmailscan/working/tmp/prupref-mailgate10706235554614208 
to /var/spool/qmailscan/working/new/prupref-mailgate10706235554614208 
[1070623555.64666]
Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: starting /usr/local/bin/reformime  
-x/var/spool/qmailscan/tmp/prupref-
mailgate10706235554614208/ 
</var/spool/qmailscan/working/new/prupref-mailgate10706235554614208 [1070623555.64737]
Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: finished /usr/local/bin/reformime  
-x/var/spool/qmailscan/tmp/prupref-
mailgate10706235554614208/ [1070623555.66339]
Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: Checking all attachments to see if they're 
MS-TNEF
Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: is 
/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/1070623555.4210-0.prupref-
mailgate is a TNEF file?: 256 [1070623555.66951]
Fri, 05 Dec 2003 05:25:55 -0600:4208: d_m: unpacking message took 0.022649 seconds
Fri, 05 Dec 2003 05:25:55 -0600:4208: unsetting QMAILQUEUE env var


Then notice that the second scanner had found it, you can see the notification message 
come back through the gateway (these are all the 
same log files)

Fri, 05 Dec 2003 05:25:55 -0600:4208: from=<[EMAIL PROTECTED]>,subj=Virus 
Exploit.IFrame.Gen detected in mail, x-qmail-scanner-
message-id=<[EMAIL PROTECTED]> via SMTP from 66.28.114.190
Fri, 05 Dec 2003 05:25:55 -0600:4208: This is a PLAIN text message (because it's 
either not mime, or is text/plain), skip virus scanners - but 
not SA
Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: start scanning
Fri, 05 Dec 2003 05:25:55 -0600:4208: ini_sc: recursively scan the directory 
/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208/
Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: starting scan of directory 
"/var/spool/qmailscan/tmp/prupref-
mailgate10706235554614208"...
Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: 
scanner=clamscan_scanner,plain_text_msg=1
Fri, 05 Dec 2003 05:25:55 -0600:4208: scanloop: finished scan of 
"/var/spool/qmailscan/tmp/prupref-mailgate10706235554614208"...








-------------------------------------------
Chris McKeever
If you want to reply directly to me, please use cgmckeever--at--prupref---dot---com
http://www.prupref.com


---- Prudential Preferred Properties   www.prupref.com  



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Re: [Qmail-scanner-general]missing occasional virus - log results

Reply via email to