[exim] How to debug malware

Fri, 25 Nov 2005 07:57:18 -0800 

Hi,
I'm in the process of upgrading our mail server, and part of that process is upgrading Exim from 4.30 to 4.54. I am currently trying to configure Exim to do virus scanning using Sophos/sweep. 


In the data ACL I have a malware condition which should be finding a virus (I'm 
sending it the eicar test virus), but it's not getting picked up. The ACL is 
getting executed, but I can't see what it's actually doing.


The ACL in question is:

acl_check_data:

  # Reject empty messages
  deny
        message = Empty message rejected.
        condition = ${if < {$message_size} {2} {1} {0}}

  #
  # Now do virus scanning with Sophos.
  #

  # for locally generated messages, deny virus and send the user a message.
  deny
        hosts = +relay_from_hosts
        message = Your message contains a virus ($malware_name).
        malware = *

  # for external messages with virus send a different message
  deny
        message = The message was rejected because it contains a virus
        malware = *


 and the debug output I get is:

15:50:43  9955 using ACL "acl_check_data"
15:50:43  9955 processing "deny"
15:50:43  9955 expanding: $message_size
15:50:43  9955    result: 915
15:50:43  9955 expanding: 2
15:50:43  9955    result: 2
15:50:43  9955 condition: < {$message_size} {2}
15:50:43  9955    result: false
15:50:43  9955 expanding: 1
15:50:43  9955    result: 1
15:50:43  9955 skipping: result is not used
15:50:43  9955 expanding: 0
15:50:43  9955    result: 0
15:50:43  9955 expanding: ${if < {$message_size} {2} {1} {0}}
15:50:43  9955    result: 0
15:50:43  9955 check condition = ${if < {$message_size} {2} {1} {0}}
15:50:43  9955                 = 0
15:50:43  9955 deny: condition test failed
15:50:43  9955 processing "deny"
15:50:43  9955 check hosts = +relay_from_hosts
15:50:43  9955 cached yes match for +relay_from_hosts
15:50:43  9955 cached lookup data = NULL

15:50:43  9955 host in "+relay_from_hosts"? yes (matched "+relay_from_hosts" - 
cached)

15:50:43  9955 check malware = *
15:50:43  9955 expanding: From ${sender_address} ${tod_bsdinbox}
15:50:43  9955
15:50:43  9955    result: From [EMAIL PROTECTED] Fri Nov 25 15:50:43 2005
15:50:43  9955
15:50:43  9955 expanding: ${sender_address}
15:50:43  9955    result: [EMAIL PROTECTED]
15:50:43  9955 condition: def:received_for
15:50:43  9955    result: false
15:50:43  9955 expanding: $received_for
15:50:43  9955    result:
15:50:43  9955 skipping: result is not used
15:50:43  9955 expanding: ${if def:received_for{$received_for}}
15:50:43  9955    result:
15:50:44  9955 deny: condition test failed
15:50:44  9955 processing "deny"
15:50:44  9955 check malware = *
15:50:44  9955 deny: condition test failed

so I don't know whether exim has actually run sweep or not.


Is there any way to increase the debugging output for malware, so I can see what 
malware test exim is actually running, and on what? The command I'm using is:


 exim -bd -d+all



The same test works perfectly on the existing mail server, running Exim 4.30. 
Running sweep manually on email files containing viruses also works, so I don't 
think it's sweep that's at fault.



--
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    [EMAIL PROTECTED]
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

--

## List details at http://www.exim.org/mailman/listinfo/exim-users 
## Exim details at http://www.exim.org/

## Please use the Wiki with this list - http://www.exim.org/eximwiki/






















					Reply via email to