[Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

Philip Ross Wed, 13 Oct 2004 13:02:26 -0700

Trog wrote:

I've never used exiscan, but it sounds like a bug in exiscan (or a
configuration issue).

The issue started occurring (for several people on this list) between 0.80rc2 and 0.80rc3.

According to others, the change that broke it was http://cvs.sourceforge.net/viewcvs.py/clamav/clamav-devel/clamd/others.c?r1=1.17&r2=1.18

exiscan must be closing it's side of the connection to clamd without
waiting for clamd to finish scanning. This signals to clamd to abort the
scan. exiscan must not do that.

I've done a tethereal capture (see attached clamdcapture.txt). This does show exiscan closing the socket after sending a SCAN request and receiving an acknowledgment. From a brief look at the exiscan code (http://duncanthrax.net/exiscan-acl/exiscan-acl-4.43-28.patch - search for '"clamd" scanner type'), I cannot see why this would be happening.

I'll post to the exiscan list and see if anyone there has any ideas.

Thanks,

Phil

  0.000000    127.0.0.1 -> 127.0.0.1    TCP 33336 > 3310 [SYN] Seq=0 Ack=0 Win=32767 
Len=0 MSS=16396 TSV=44568512 TSER=0 WS=7


0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 3c a7 47 40 00 40 06 95 72 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@..r......
0020  00 01 82 38 0c ee e8 54 a8 87 00 00 00 00 a0 02   ...8...T........
0030  7f ff 5d 3b 00 00 02 04 40 0c 04 02 08 0a 02 a8   ..];[EMAIL PROTECTED]
0040  0f c0 00 00 00 00 01 03 03 07                     ..........

  0.000115    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33336 [SYN, ACK] Seq=0 Ack=1 
Win=32767 Len=0 MSS=16396 TSV=44568513 TSER=44568512 WS=7

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 3c 00 00 40 00 40 06 3c ba 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@.<.......
0020  00 01 0c ee 82 38 e8 dc 77 51 e8 54 a8 88 a0 12   .....8..wQ.T....
0030  7f ff ea 92 00 00 02 04 40 0c 04 02 08 0a 02 a8   [EMAIL PROTECTED]
0040  0f c1 02 a8 0f c0 01 03 03 07                     ..........

  0.000181    127.0.0.1 -> 127.0.0.1    TCP 33336 > 3310 [ACK] Seq=1 Ack=1 Win=32768 
Len=0 TSV=44568513 TSER=44568513

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 a7 48 40 00 40 06 95 79 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..y......
0020  00 01 82 38 0c ee e8 54 a8 88 e8 dc 77 52 80 10   ...8...T....wR..
0030  01 00 d2 b5 00 00 01 01 08 0a 02 a8 0f c1 02 a8   ................
0040  0f c1                                             ..

  0.000337    127.0.0.1 -> 127.0.0.1    TCP 33336 > 3310 [PSH, ACK] Seq=1 Ack=1 
Win=32768 [CHECKSUM INCORRECT] Len=43 TSV=44568513 TSER=44568513

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 5f a7 49 40 00 40 06 95 4d 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..M......
0020  00 01 82 38 0c ee e8 54 a8 88 e8 dc 77 52 80 18   ...8...T....wR..
0030  01 00 fe 53 00 00 01 01 08 0a 02 a8 0f c1 02 a8   ...S............
0040  0f c1 53 43 41 4e 20 2f 76 61 72 2f 73 70 6f 6f   ..SCAN /var/spoo
0050  6c 2f 65 78 69 6d 2f 73 63 61 6e 2f 31 43 48 70   l/exim/scan/1CHp
0060  35 6c 2d 30 30 30 31 69 4e 2d 49 78 0a            5l-0001iN-Ix.

  0.000374    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33336 [ACK] Seq=1 Ack=44 Win=32768 
Len=0 TSV=44568513 TSER=44568513

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 78 93 40 00 40 06 c4 2e 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.........
0020  00 01 0c ee 82 38 e8 dc 77 52 e8 54 a8 b3 80 10   .....8..wR.T....
0030  01 00 d2 8a 00 00 01 01 08 0a 02 a8 0f c1 02 a8   ................
0040  0f c1                                             ..

  0.000458    127.0.0.1 -> 127.0.0.1    TCP 33336 > 3310 [FIN, ACK] Seq=44 Ack=1 
Win=32768 Len=0 TSV=44568513 TSER=44568513

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 a7 4a 40 00 40 06 95 77 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..w......
0020  00 01 82 38 0c ee e8 54 a8 b3 e8 dc 77 52 80 11   ...8...T....wR..
0030  01 00 d2 89 00 00 01 01 08 0a 02 a8 0f c1 02 a8   ................
0040  0f c1                                             ..

  0.007107    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33336 [FIN, ACK] Seq=1 Ack=45 
Win=32768 Len=0 TSV=44568520 TSER=44568513

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 78 94 40 00 40 06 c4 2d 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..-......
0020  00 01 0c ee 82 38 e8 dc 77 52 e8 54 a8 b4 80 11   .....8..wR.T....
0030  01 00 d2 81 00 00 01 01 08 0a 02 a8 0f c8 02 a8   ................
0040  0f c1                                             ..

  0.007244    127.0.0.1 -> 127.0.0.1    TCP 33336 > 3310 [ACK] Seq=45 Ack=2 Win=32768 
Len=0 TSV=44568520 TSER=44568520

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 a7 4b 40 00 40 06 95 76 7f 00 00 01 7f 00   [EMAIL PROTECTED]@..v......
0020  00 01 82 38 0c ee e8 54 a8 b4 e8 dc 77 53 80 10   ...8...T....wS..
0030  01 00 d2 7a 00 00 01 01 08 0a 02 a8 0f c8 02 a8   ...z............
0040  0f c8                                             ..

  0.008554    127.0.0.1 -> 127.0.0.1    TCP 33337 > 3310 [SYN] Seq=0 Ack=0 Win=32767 
Len=0 MSS=16396 TSV=44568521 TSER=0 WS=7

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 3c b3 d5 40 00 40 06 88 e4 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@.........
0020  00 01 82 39 0c ee e8 ce bc 1c 00 00 00 00 a0 02   ...9............
0030  7f ff 49 22 00 00 02 04 40 0c 04 02 08 0a 02 a8   ..I"[EMAIL PROTECTED]
0040  0f c9 00 00 00 00 01 03 03 07                     ..........

  0.008622    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33337 [SYN, ACK] Seq=0 Ack=1 
Win=32767 Len=0 MSS=16396 TSV=44568521 TSER=44568521 WS=7

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 3c 00 00 40 00 40 06 3c ba 7f 00 00 01 7f 00   .<[EMAIL PROTECTED]@.<.......
0020  00 01 0c ee 82 39 e9 21 e5 c5 e8 ce bc 1d a0 12   .....9.!........
0030  7f ff 67 b8 00 00 02 04 40 0c 04 02 08 0a 02 a8   [EMAIL PROTECTED]
0040  0f c9 02 a8 0f c9 01 03 03 07                     ..........

  0.008680    127.0.0.1 -> 127.0.0.1    TCP 33337 > 3310 [ACK] Seq=1 Ack=1 Win=32768 
Len=0 TSV=44568521 TSER=44568521

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 b3 d6 40 00 40 06 88 eb 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.........
0020  00 01 82 39 0c ee e8 ce bc 1d e9 21 e5 c6 80 10   ...9.......!....
0030  01 00 4f dc 00 00 01 01 08 0a 02 a8 0f c9 02 a8   ..O.............
0040  0f c9                                             ..

  0.008790    127.0.0.1 -> 127.0.0.1    TCP 33337 > 3310 [PSH, ACK] Seq=1 Ack=1 
Win=32768 [CHECKSUM INCORRECT] Len=43 TSV=44568521 TSER=44568521

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 5f b3 d7 40 00 40 06 88 bf 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.........
0020  00 01 82 39 0c ee e8 ce bc 1d e9 21 e5 c6 80 18   ...9.......!....
0030  01 00 fe 53 00 00 01 01 08 0a 02 a8 0f c9 02 a8   ...S............
0040  0f c9 53 43 41 4e 20 2f 76 61 72 2f 73 70 6f 6f   ..SCAN /var/spoo
0050  6c 2f 65 78 69 6d 2f 73 63 61 6e 2f 31 43 48 70   l/exim/scan/1CHp
0060  35 6c 2d 30 30 30 31 69 4e 2d 49 78 0a            5l-0001iN-Ix.

  0.008835    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33337 [ACK] Seq=1 Ack=44 Win=32768 
Len=0 TSV=44568521 TSER=44568521

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 ea 0f 40 00 40 06 52 b2 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.R.......
0020  00 01 0c ee 82 39 e9 21 e5 c6 e8 ce bc 48 80 10   .....9.!.....H..
0030  01 00 4f b1 00 00 01 01 08 0a 02 a8 0f c9 02 a8   ..O.............
0040  0f c9                                             ..

  0.008897    127.0.0.1 -> 127.0.0.1    TCP 33337 > 3310 [FIN, ACK] Seq=44 Ack=1 
Win=32768 Len=0 TSV=44568521 TSER=44568521

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 b3 d8 40 00 40 06 88 e9 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.........
0020  00 01 82 39 0c ee e8 ce bc 48 e9 21 e5 c6 80 11   ...9.....H.!....
0030  01 00 4f b0 00 00 01 01 08 0a 02 a8 0f c9 02 a8   ..O.............
0040  0f c9                                             ..

  0.011183    127.0.0.1 -> 127.0.0.1    TCP 3310 > 33337 [FIN, ACK] Seq=1 Ack=45 
Win=32768 Len=0 TSV=44568524 TSER=44568521

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 ea 10 40 00 40 06 52 b1 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.R.......
0020  00 01 0c ee 82 39 e9 21 e5 c6 e8 ce bc 49 80 11   .....9.!.....I..
0030  01 00 4f ac 00 00 01 01 08 0a 02 a8 0f cc 02 a8   ..O.............
0040  0f c9                                             ..

  0.011328    127.0.0.1 -> 127.0.0.1    TCP 33337 > 3310 [ACK] Seq=45 Ack=2 Win=32768 
Len=0 TSV=44568524 TSER=44568524

0000  00 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00   ..............E.
0010  00 34 b3 d9 40 00 40 06 88 e8 7f 00 00 01 7f 00   [EMAIL PROTECTED]@.........
0020  00 01 82 39 0c ee e8 ce bc 49 e9 21 e5 c7 80 10   ...9.....I.!....
0030  01 00 4f a9 00 00 01 01 08 0a 02 a8 0f cc 02 a8   ..O.............
0040  0f cc                                             ..

_______________________________________________
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users

[Clamav-users] Re: Upgrade to 0.80rc3 breaks Exim malware acl (still broken in 0.80rc4)

Reply via email to