At 21:29 19/08/2003 -0500, you wrote:
At 09:16 PM 8/19/2003, you wrote:On Tuesday 19 August 2003 20:12, David Lucas wrote:> > No problem, sounds like you did not run the "install-f-prot.pl" program> > that > >is included with the new version (/usr/local/f-prot/install-f-prot.pl) > > which sets the permissions and such. > > I did not, should I now with it running? > also, do you know, which processes first, mailscanner deleting .pif files > or the antivirus software normally David,Probably would not hurt to go ahead and run it since then you will know allare set "correctly". Not sure on the scan, but believe the virus scan is done first, then the filename rules scans and such.Ran it, it said it ran,but all I am getting is mailscanner catching all the sobig and not the antivirusI am also on my third sweep.pl I got one the day Steve wrote the instructionsgot another a day later and then there is another new one dated Aug 9th I think, has a lot more in itI know mailscanner is working, it just doesn't seem like f-prot is
I decided to install the Bassi MailScanner package and then follow the f-prot upgrade instructions just to see what happens.
With a default pkg install everything worked correctly and it picked up the test eicar virus that I sent to myself:
http://www.eicar.org/anti_virus_test_file.htm So then made a backup of my existing f-prot directory structure: cp -R /usr/local/f-prot/ /tmp/The downloaded the new f-prot for Linux and followed the installation instructions from the INSTALL file following the install from source instructions.
[root /root]# f-prot -verno F-PROT ANTIVIRUS Program version: 4.1.2 Engine version: 3.13.4 VIRUS SIGNATURE FILES SIGN.DEF created 19 August 2003 SIGN2.DEF created 19 August 2003 MACRO.DEF created 18 August 2003 So that all worked. Next: 1. Ran updatedb so I could use locate with all the new files2. Downloaded the suggested sweep.pl and replaced the existing file after making a backup into /tmp 3. Made the required changes in /etc/cron.daily to remove the old check_updates and replace with check-updates.pl 4. Ran check-updates.pl in /etc/cron.daily to check everything is ok and new definitions were downloaded
5. Copied the file f-protwrapper to the new f-prot directory.
6. Restarted mailscanner with the /etc/rc.d script
Starting MailScanner daemons:
incoming sendmail: ok
outgoing sendmail: ok
MailScanner: ok
Checked /var/log/maillog:
Aug 20 09:33:22 mailhost mailscanner[16705]: Scanning 2 messages, 421670 bytes
Aug 20 09:33:23 mailhost mailscanner[16705]: Either you've found a bug in
MailScanner's F-Prot output parser, or F-Prot's output format has changed!
F-Prot said this "Search: .". Please mail the author of MailScanner
Aug 20 09:33:23 mailhost mailscanner[16705]: Either you've found a bug in
MailScanner's F-Prot output parser, or F-Prot's output format has changed!
F-Prot said this "Action: Report only". Please mail the author of MailScanner
Aug 20 09:33:23 mailhost mailscanner[16705]: Either you've found a bug in
MailScanner's F-Prot output parser, or F-Prot's output format has changed!
F-Prot said this "Files: "Dumb" scan of all files". Please mail the author
of MailScanner
Aug 20 09:33:23 mailhost mailscanner[16705]: Either you've found a bug in
MailScanner's F-Prot output parser, or F-Prot's output format has changed!
F-Prot said this "Switches: -ARCHIVE -OLD". Please mail the author of
MailScanner
Aug 20 09:33:23 mailhost mailscanner[16705]: Scanned 2 messages, 421670
bytes in 1 seconds
Sent myself the eicar test again and it gets through. MailScanner is working correctly but not with f-prot.
My advice for the moment is to avoid the upgade to f-prot if you are using it in a production environment.
I'll have a dig around MailScanner now to see where the output parser is located and how it calls the switches.
If anyone has made any progress on this though then appreciate if you can post.Dan