The output of vscan.d shows that it interprets the result from the
scan engine as a successful scan with no virus found. IIRC, it looks
like this is being determined from the scan preview without the need
for a full scan.
Can you get a network packet capture so that we can look in detail at
the scan engine response.
It would also be helpful if you could try this with a different type of
scan engine too, preferably one that we support - e.g. Symantec.
Thanks
Joyce
Chris Gerhard wrote:
On 07/01/2010 23:41, Joyce McIntosh wrote:
Have you configured vscan to scan pdf files?
It scans everything less than 100MB in size.
What's the output of vscanadm show?
: pearson FSS 5 $; /usr/sbin/vscanadm show
max-size=100MB
max-size-action=allow
types=+*
srv_clamav:enable=on
srv_clamav:host=localhost
srv_clamav:port=1344
srv_clamav:max-connection=8
samba:enable=on
samba:host=samba
samba:port=1344
samba:max-connection=8
: pearson FSS 6 $;
Have you checked vscanadm stats before and after trying to open
the infected file?
: pearson FSS 2 $; /usr/sbin/vscanadm stats
scanned=5575
infected=0
failed=4
srv_clamav:errors=2
samba:errors=3
: pearson FSS 3 $; cp virus.d/clam.pdf /tank/test
: pearson FSS 4 $; /usr/sbin/vscanadm stats
scanned=5576
infected=0
failed=4
srv_clamav:errors=2
samba:errors=3
Can you run vscan.d dtrace script and capture the output while
trying to open the infected file.
the output is attached.
Chris Gerhard wrote:
Running the vscan service on a system it fails to spot a test virus in
a PDF file. The odd thing is that if I use the icap-client with the
file the same icap servers report the virus correctly.
for i in clam*
do
cat $i >/dev/null && echo $i
done
-ksh93: cat: clam-aspack.exe: cannot open [Permission denied]
-ksh93: cat: clam-fsg.exe: cannot open [Permission denied]
-ksh93: cat: clam-mew.exe: cannot open [Permission denied]
-ksh93: cat: clam-nsis.exe: cannot open [Permission denied]
-ksh93: cat: clam-pespin.exe: cannot open [Permission denied]
-ksh93: cat: clam-petite.exe: cannot open [Permission denied]
-ksh93: cat: clam-upack.exe: cannot open [Permission denied]
-ksh93: cat: clam-upx.exe: cannot open [Permission denied]
-ksh93: cat: clam-v2.rar: cannot open [Permission denied]
-ksh93: cat: clam-v3.rar: cannot open [Permission denied]
-ksh93: cat: clam-wwpack.exe: cannot open [Permission denied]
-ksh93: cat: clam.arj: cannot open [Permission denied]
-ksh93: cat: clam.bz2.zip: cannot open [Permission denied]
-ksh93: cat: clam.cab: cannot open [Permission denied]
-ksh93: cat: clam.chm: cannot open [Permission denied]
-ksh93: cat: clam.d64.zip: cannot open [Permission denied]
-ksh93: cat: clam.ea05.exe: cannot open [Permission denied]
-ksh93: cat: clam.ea06.exe: cannot open [Permission denied]
-ksh93: cat: clam.exe: cannot open [Permission denied]
-ksh93: cat: clam.exe.binhex: cannot open [Permission denied]
-ksh93: cat: clam.exe.bz2: cannot open [Permission denied]
-ksh93: cat: clam.exe.html: cannot open [Permission denied]
-ksh93: cat: clam.exe.mbox.base64: cannot open [Permission denied]
-ksh93: cat: clam.exe.mbox.uu: cannot open [Permission denied]
-ksh93: cat: clam.exe.rtf: cannot open [Permission denied]
-ksh93: cat: clam.exe.szdd: cannot open [Permission denied]
-ksh93: cat: clam.impl.zip: cannot open [Permission denied]
-ksh93: cat: clam.mail: cannot open [Permission denied]
-ksh93: cat: clam.ole.doc: cannot open [Permission denied]
clam.pdf
-ksh93: cat: clam.ppt: cannot open [Permission denied]
-ksh93: cat: clam.sis: cannot open [Permission denied]
-ksh93: cat: clam.tar.gz: cannot open [Permission denied]
-ksh93: cat: clam.tnef: cannot open [Permission denied]
-ksh93: cat: clam.zip: cannot open [Permission denied]
: pearson FSS 84 $;
: pearson FSS 84 $; for i in samba
localhost^Jdo^J/opt/cjgsw/bin/icap\-client>
for i in samba localhost
do
/opt/cjgsw/bin/icap\-client -f clam.pdf -s
"srv_clamav?allow204=on&force=on&sizelimit=off&mode=simple" -i $i |
grep VIRUS
done
ICAP server:samba, ip:192.168.1.20, port:1344
<H1>VIRUS FOUND</H1>
ICAP server:localhost, ip:127.0.0.1, port:1344
<H1>VIRUS FOUND</H1>
: pearson FSS 85 $;
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
