[Qmail-scanner-general]Kaspersky *tupidity

Tue, 27 Jul 2004 00:50:03 -0700 

Hi, due this high load of MydoomMM i found very dangerous behaviour on
QS with aveclient/aveserver from Kaspersky.

1- qs with aveclient has problem to correctly detect output from
aveclient, thi only happen when mail contains infected and noninfected
files, behaviour of scanning process is this: unpack to temp dir along
with original message, scanning every file, so when it scan last file
 it forget scan result before which include founding of infected file.
 workaround is (my try)
 
sub_avp>
$DD=`/opt/kav/bin/aveclient -p /var/run/aveserver -s $ENV{'TMPDIR'}/orig-$file_id 
2>&1`;
not
$DD=`/opt/kav/bin/aveclient -p /var/run/aveserver -s $ENV{'TMPDIR'}/* 2>&1`;

reason is that aveclient can handle whole mail encoding by itself, mostly I
hope ;)

2- BUT WORST IS - I have running aveserver from /service, and I found
out that if U dont restart this service , it wont using new antiviral
db. Kavscanner is working OK, but aveclient/aveserver not until I
restarted it.

[EMAIL PROTECTED] bin]# ./kavscanner letter.zip
Kaspersky Virus Scanner for linux. Version 5.0.2.0/RELEASE build #1
Copyright (C) Kaspersky Lab. 1998-2003.
There are 94137 records loaded, the latest update 27-07-2004
Config file: /etc/kav/5.0/kav4unix.conf
/opt/kav/bin/letter.zip  
/opt/kav/bin/letter.zip/letter.scr INFECTED I-Worm.Mydoom.m
/opt/kav/bin/letter.zip/letter.scr CUREFAILED I-Worm.Mydoom.m

[EMAIL PROTECTED] bin]# /opt/kav/bin/aveclient -p /var/run/aveserver -s letter.zip
letter.zip OK
[EMAIL PROTECTED] bin]# killall aveserver
##it restart itself thru /service
[EMAIL PROTECTED] bin]# /opt/kav/bin/aveclient -p /var/run/aveserver -s letter.zip 
letter.zip INFECTED
LINFECTED I-Worm.Mydoom.m
[EMAIL PROTECTED] bin]#

so, maybe it helps someone
cee ya
Miki



+-------V-------+ |   Peter Mikeska      |    [EMAIL PROTECTED]     |
| A L C A T E L | |  System Engineer     |  phone:   +421 44 5206316 |
+---------------+ | IT Services MadaCom  |  fax:     +421 44 5206356 |

               -* "Clones are people two." *-



-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Qmail-scanner-general mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/qmail-scanner-general

Reply via email to