[Qmail-scanner-general]NAI's uvscan not working (This time with the log file...)

Ricardo Santos Tue, 02 Mar 2004 17:25:41 -0800

     Hello. (again... )
 
     I have AIX 4.3.3.0-11, perl v5.8.2 built for
aix, Virus Scan for AIX v4.32.0., qmail-scanner-1.20


     Perlscaner is able to reject mails with
attachments *mp3 (I love music, I swear it) (I
modified the quarantine-attachments.txt file) but
uvscan is unable to detect viri =(

     My qmail-queue.log has:

--output of uvscan was:
No file or directory found matching
/var/spool/qmailscan/tmp/myhost.org107827471846110072

 
      I've attached a txt file with a complete log
produced by handing one bloody virii mail. 

      Sugestions, comments, advices, food??
 
      Thanks in advance.




__________________________________
Do you Yahoo!?
Yahoo! Search - Find what you�re looking for faster
http://search.yahoo.com

Tue, 02 Mar 2004 18:45:18 CST:10072: +++ starting debugging for process 10072 by 
uid=210 at Tue, 02 Mar 2004 18:45:18 CST
Tue, 02 Mar 2004 18:45:18 CST:10072: setting UID to EUID so subprocesses can access 
files generated by this script
Tue, 02 Mar 2004 18:45:18 CST:10072: program name is qmail-scanner-queue.pl, version 
1.20
Tue, 02 Mar 2004 18:45:18 CST:10072: incoming SMTP connection from via SMTP from 
192.168.10.123
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: mkdir 
/var/spool/qmailscan/tmp/myhost.org107827471846110072
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: start dumping incoming msg into 
/var/spool/qmailscan/working/tmp/myhost.org107827471846110072 [1078274718.12962]
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: primary Content-Type of multipart/mixed found
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: found a top-level boundary definition of 
\-\-\-\-=_NextPart_000_0001_01C40087\.3DE6D720
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: attachment  1: Content-Type of text/plain 
found
Tue, 02 Mar 2004 18:45:18 CST:10072: found C-T attachment filename mail2.zip
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: attachment  2: Content-Type of 
application/x-zip-compressed found
Tue, 02 Mar 2004 18:45:18 CST:10072: w_c: rename new msg from 
/var/spool/qmailscan/working/tmp/myhost.org107827471846110072 to 
/var/spool/qmailscan/working/new/myhost.org107827471846110072 [1078274718.17319]
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: starting /usr/local/bin/reformime  
-x/var/spool/qmailscan/tmp/myhost.org107827471846110072/ 
</var/spool/qmailscan/working/new/myhost.org107827471846110072 [1078274718.19667]
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: finished /usr/local/bin/reformime  
-x/var/spool/qmailscan/tmp/myhost.org107827471846110072/ [1078274718.25943]
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: Checking all attachments to see if they're 
MS-TNEF
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: is 
/var/spool/qmailscan/tmp/myhost.org107827471846110072/1078274718.16338-0.myhost.org is 
a TNEF file?: 256 [1078274718.27436]
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: is 
/var/spool/qmailscan/tmp/myhost.org107827471846110072/mail2.zip is a TNEF file?: 256 
[1078274718.28837]
Tue, 02 Mar 2004 18:45:18 CST:10072: d_m: unpacking message took 0.092326 seconds
Tue, 02 Mar 2004 18:45:18 CST:10072: unsetting QMAILQUEUE env var
Tue, 02 Mar 2004 18:45:18 CST:10072: g_e_h: return-path is "[EMAIL PROTECTED]", recips 
is "[EMAIL PROTECTED]"
Tue, 02 Mar 2004 18:45:18 CST:10072: from="Ricardo" <[EMAIL PROTECTED]>,subj=RV: trust 
me, x-qmail-scanner-message-id=<[EMAIL PROTECTED]> via SMTP from 192.168.10.123
Tue, 02 Mar 2004 18:45:18 CST:10072: ini_sc: start scanning
Tue, 02 Mar 2004 18:45:18 CST:10072: ini_sc: recursively scan the directory 
/var/spool/qmailscan/tmp/myhost.org107827471846110072/
Tue, 02 Mar 2004 18:45:18 CST:10072: scanloop: starting scan of directory 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072"...
Tue, 02 Mar 2004 18:45:18 CST:10072: scanloop: scanner=uvscan_scanner,plain_text_msg=0
Tue, 02 Mar 2004 18:45:18 CST:10072: uvscan: starting scan of directory 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072"...
Tue, 02 Mar 2004 18:45:18 CST:10072: run /usr/local/bin/uvscan  -v -r --secure --fam 
--unzip --macro-heuristics  /var/spool/qmailscan/tmp/myhost.org107827471846110072    
2>&1
Tue, 02 Mar 2004 18:45:18 CST:10072: --output of uvscan was:
No file or directory found matching 
/var/spool/qmailscan/tmp/myhost.org107827471846110072
--
Tue, 02 Mar 2004 18:45:18 CST:10072: uvscan: finished scan of dir 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072" in 1.242382 secs
Tue, 02 Mar 2004 18:45:18 CST:10072: scanloop: finished scan of 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072"...
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: starting scan of directory 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072"...
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '81:ILOVEYOU' = 'Virus-subject' = 'Love 
Letter Virus/Trojan'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing subject: 
ILOVEYOU
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '82:message/partial.*' = 
'Virus-content-type' = 'Message/partial MIME attachments blocked by policy'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing 
content-type: message/partial.*
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '85:.{100,}' = 'Virus-date' = 'MIME Header 
Buffer Overflow'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing date: 
.{100,}
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '86:.{100,}' = 'Virus-mime-version' = 'MIME 
Header Buffer Overflow '
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing 
mime-version: .{100,}
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '87:.{100,}' = 'Virus-resent-date' = 'MIME 
Header Buffer Overflow'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing 
resent-date: .{100,}
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  '90:[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]' = 'Virus-to' = 
'BadTrans Trojan exploit!'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  type is a header!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  checking for objects containing to: [EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL 
PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  'eicar.com' = '69' = 'EICAR Test Virus'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: type is a size!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  'happy99.exe' = '10000' = 'Happy99 Trojan'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: type is a size!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  'zipped_files.exe' = '120495' = 
'W32/ExploreZip.worm.pak virus'
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: type is a size!
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: skipping auto-generated file 
1078274718.16338-0.myhost.org
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: checking mail2.zip against perlscanner 
database...
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: file mail2.zip is lowercased to mail2.zip 
and has extension .zip
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: compare mail2.zip (size 25477,2483) against 
perlscanner database
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: checking mail2.zip against perlscanner 
database...
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: file mail2.zip is lowercased to mail2.zip 
and has extension .zip
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s: compare mail2.zip (size 25477,2483) against 
perlscanner database
Tue, 02 Mar 2004 18:45:18 CST:10072: p_s:  finished scan of dir 
"/var/spool/qmailscan/tmp/myhost.org107827471846110072" in 0.013674 secs
Tue, 02 Mar 2004 18:45:18 CST:10072: ini_sc: scanning message took 1.257716 seconds
Tue, 02 Mar 2004 18:45:18 CST:10072: q_r: fork off child into 
/var/qmail/bin/qmail-queue...
Tue, 02 Mar 2004 18:45:18 CST:16346: q_r: xstatus=0
Tue, 02 Mar 2004 18:45:18 CST:10072: cleanup: /usr/bin/rm -rf 
/var/spool/qmailscan/tmp/myhost.org107827471846110072/ 
/var/spool/qmailscan/working/new/myhost.org107827471846110072
02/03/2004 18:45:19:10072: all finished. Total of 1.721986 secs

[Qmail-scanner-general]NAI's uvscan not working (This time with the log file...)

Reply via email to