I am reviving an old thread. I've only recently found the time to revisit this project.
Sometime around november 16th, 2003, Jason Haar wrote:
Turn on full persistant debugging by setting '$debug=100;' in
qmail-scanner-queue.pl. That makes qmail-scanner-queue.pl *not* delete the
working area after it's finished dealing with a particular message.
Let a few messages through (tail qmail-queue.log to see that messages have
been processed), then turn '$debug' back to '1' to stop any more from being
kept.
Then you should have dirs under working/new that you can enter to see their
contents. Then run sweep manually over that dir to see what it says.
i.e.
(as root)
cd /var/spool/qmailscan/working/new/a.dir.name/
setuidgid qscand sweep -f -all -eec -sc -ss -nb -nc -archive \
/var/spool/qmailscan/working/new/a.dir.name/
i.e. make sure you run sweep as qscand - as that's what Q-S runs it as.
I activated debugging output in qmail-scanner-queue.pl as per your instructions.
Then I attached a copy of eicar.com named "vi-rus.exe" to an e-mail and sent it to a colleague in the office, and it was delivered to him intact.
I took the qmail-queue.log output for that message, and I quote it below:
Fri, 05 Dec 2003 17:11:47 -0700:2656: +++ starting debugging for process 2656 by
uid=401 at Fri, 05 Dec 2003 17:11:47 -0700
Fri, 05 Dec 2003 17:11:47 -0700:2656: setting UID to EUID so subprocesses can access
files generated by this script
Fri, 05 Dec 2003 17:11:47 -0700:2656: program name is qmail-scanner-queue.pl, version
1.20
Fri, 05 Dec 2003 17:11:47 -0700:2656: incoming SMTP connection from via SMTP from
209.115.249.136
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: mkdir
/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: start dumping incoming msg into
/var/spool/qmailscan/working/tmp/www.vodacomm.ca10706695074612656 [1070669507.58787]
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: primary Content-Type of multipart/mixed
found
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: found a top-level boundary definition of
\-\-\-\-\-\-\-\-\-\-\-\-070203010006090009030002
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: attachment 1: Content-Type of text/plain
found
Fri, 05 Dec 2003 17:11:47 -0700:2656: found C-T attachment filename vi-rus.exe
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: attachment 2: Content-Type of
application/x-msdownload found
Fri, 05 Dec 2003 17:11:47 -0700:2656: w_c: rename new msg from
/var/spool/qmailscan/working/tmp/www.vodacomm.ca10706695074612656 to
/var/spool/qmailscan/working/new/www.vodacomm.ca10706695074612656 [1070669507.59279]
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: starting /usr/bin/reformime
-x/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/
</var/spool/qmailscan/working/new/www.vodacomm.ca10706695074612656 [1070669507.59328]
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: finished /usr/bin/reformime
-x/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/ [1070669507.60574]
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: Checking all attachments to see if they're
MS-TNEF
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: is
/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/1070669507.2658-0.www.vodacomm.ca
is a TNEF file?: 256 [1070669507.60975]
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: is
/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/vi-rus.exe is a TNEF file?:
256 [1070669507.61347]
Fri, 05 Dec 2003 17:11:47 -0700:2656: d_m: unpacking message took 0.020521 seconds
Fri, 05 Dec 2003 17:11:47 -0700:2656: unsetting QMAILQUEUE env var
Fri, 05 Dec 2003 17:11:47 -0700:2656: g_e_h: return-path is "[EMAIL PROTECTED]", recips is
"[EMAIL PROTECTED]"
Fri, 05 Dec 2003 17:11:47 -0700:2656: from=Stephen Bosch <[EMAIL PROTECTED]>,subj=give this
to your friends, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 209.115.249.136
Fri, 05 Dec 2003 17:11:47 -0700:2656: ini_sc: start scanning
Fri, 05 Dec 2003 17:11:47 -0700:2656: ini_sc: recursively scan the directory
/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/
Fri, 05 Dec 2003 17:11:47 -0700:2656: scanloop: starting scan of directory
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656"...
Fri, 05 Dec 2003 17:11:47 -0700:2656: scanloop: scanner=sweep_scanner,plain_text_msg=0
Fri, 05 Dec 2003 17:11:47 -0700:2656: sweep: starting scan of directory
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656"...
Fri, 05 Dec 2003 17:11:47 -0700:2656: run /usr/bin/sweep -f -all -eec -sc -nc -ss -nb
-archive /var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656 2>&1
Fri, 05 Dec 2003 17:11:47 -0700:2656: --output of sophos sweep was:
--
Fri, 05 Dec 2003 17:11:47 -0700:2656: sweep: finished scan of dir
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656" in 1.074209 secs
Fri, 05 Dec 2003 17:11:47 -0700:2656: scanloop: scanner=spamassassin,plain_text_msg=0
Fri, 05 Dec 2003 17:11:47 -0700:2656: scanloop: finished scan of
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656"...
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: starting scan of directory
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656"...
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '81:ILOVEYOU' = 'Virus-subject' = 'Love
Letter Virus/Trojan'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing subject:
ILOVEYOU
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '82:message/partial.*' =
'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing
content-type: message/partial.*
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '85:.{100,}' = 'Virus-date' = 'MIME Header
Buffer Overflow'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing date:
.{100,}
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '86:.{100,}' = 'Virus-mime-version' =
'MIME Header Buffer Overflow '
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing
mime-version: .{100,}
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '87:.{100,}' = 'Virus-resent-date' = 'MIME
Header Buffer Overflow'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing
resent-date: .{100,}
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: '90:[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' = 'Virus-to' =
'BadTrans Trojan exploit!'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a header!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking for objects containing to: [EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: 'eicar.com' = '69' = 'EICAR Test Virus'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a size!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: 'happy99.exe' = '10000' = 'Happy99 Trojan'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a size!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: 'zipped_files.exe' = '120495' =
'W32/ExploreZip.worm.pak virus'
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: type is a size!
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: skipping auto-generated file
1070669507.2658-0.www.vodacomm.ca
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking vi-rus.exe against perlscanner
database...
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: file vi-rus.exe is lowercased to vi-rus.exe
and has extension .exe
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: compare vi-rus.exe (size 68,162406) against
perlscanner database
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: checking vi-rus.exe against perlscanner
database...
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: file vi-rus.exe is lowercased to vi-rus.exe
and has extension .exe
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: compare vi-rus.exe (size 68,162406) against
perlscanner database
Fri, 05 Dec 2003 17:11:47 -0700:2656: p_s: finished scan of dir
"/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656" in 0.006504 secs
Fri, 05 Dec 2003 17:11:47 -0700:2656: ini_sc: scanning message took 1.081502 seconds
Fri, 05 Dec 2003 17:11:47 -0700:2656: q_r: fork off child into
/var/qmail/bin/qmail-queue...
Fri, 05 Dec 2003 17:11:47 -0700:2662: q_r: xstatus=0
Fri, 05 Dec 2003 17:11:47 -0700:2656: cleanup: /bin/rm -rf
/var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656/
/var/spool/qmailscan/working/new/www.vodacomm.ca10706695074612656
05/12/2003 17:11:48:2656: all finished. Total of 1.128867 secs
From this I interpret the following:
- qmailscanner has executed sweep on the message and the extracted attachment. - for whatever reason, there is no output registered from sweep.
When I go into the /var/spool/qmailscan/working/new directory and run sweep, this is what I see:
[EMAIL PROTECTED] www.vodacomm.ca10706695074612656]# cd /var/spool/qmailscan/working/new [EMAIL PROTECTED] new]# ls total 16 421946 -rw------- 1 qscand root 4229 Dec 5 17:07 www.vodacomm.ca10706692764612640 421947 -rw------- 1 qscand root 1253 Dec 5 17:11 www.vodacomm.ca10706695074612656 421948 -rw------- 1 qscand root 3062 Dec 5 17:19 www.vodacomm.ca10706699894612695 [EMAIL PROTECTED] new]# /command/setuidgid qscand sweep -f -all -eec -sc -ss -nb -nc -archive * [EMAIL PROTECTED] new]#
In other words, nothing.
When I do the same with just a simple -f, I get this result:
[EMAIL PROTECTED] new]# /command/setuidgid qscand sweep -f * SWEEP virus detection utility Version 3.75A, November 2003 [Linux/Intel] Includes detection for 85356 viruses, trojans and worms Copyright (c) 1989,2003 Sophos Plc, www.sophos.com
System time 17:51:11, System date 05 December 2003 Command line qualifiers are: -f
Full Sweeping
3 files swept in 2 seconds. No viruses were discovered. End of Sweep. [EMAIL PROTECTED] new]#
Say I change to the message's corresponding directory in /var/spool/qmailscan/tmp:
[EMAIL PROTECTED] www.vodacomm.ca10706695074612656]# pwd /var/spool/qmailscan/tmp/www.vodacomm.ca10706695074612656 [EMAIL PROTECTED] www.vodacomm.ca10706695074612656]# ls total 8 162403 -rw------- 1 qscand nofiles 18 Dec 5 17:11 1070669507.2658-0.www.vodacomm.ca 162406 -rw------- 1 qscand nofiles 68 Dec 5 17:11 vi-rus.exe [EMAIL PROTECTED] www.vodacomm.ca10706695074612656]# /command/setuidgid qscand sweep -f -all -eec -sc -ss -nb -nc -archive *[EMAIL PROTECTED] www.vodacomm.ca10706695074612656]#Virus 'EICAR-AV-Test' found in file vi-rus.exe
So -- the file is there, sweep detects when run as qscand, and yet when qmail-scanner-queue.pl runs sweep, it gets no output.
Really, I'm not trying to prove anything -- I just want the bloody thing to work.
-Stephen-
------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Qmail-scanner-general mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general
