Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Patrick Basile on October 21, 2001, 07:36:56 AM
-
Hello everyone,
I followed Darrell's RAV How To earlier today, and installed RAV on my ESSG 4.1.2 server. The install went fine, as far as I could tell. I then decided to test the a/v protection by sending the eicar.com file and eicar.zip. It appears at least in the log files that they were "found" and quarantined; BUT....
in my log files I'm seeing the following weird entries, or are they normal?
=======================================
Oct 20 21:16:10 bcsrv1 ravmd[14845]: clean_failed
Oct 20 21:16:10 bcsrv1 ravmd[14845]: delete_failed
Oct 20 21:16:10 bcsrv1 ravmd[14845]: rejected
Oct 20 21:16:23 bcsrv1 ravmd[14896]: clean_failed
Oct 20 21:16:23 bcsrv1 ravmd[14896]: delete_failed
Oct 20 21:16:23 bcsrv1 ravmd[14896]: rejected
Oct 20 21:16:23 bcsrv1 ravmd[14900]: clean_failed
Oct 20 21:16:23 bcsrv1 ravmd[14900]: delete_failed
Oct 20 21:16:23 bcsrv1 ravmd[14900]: rejected
Oct 20 21:18:15 bcsrv1 ravmd[14989]: clean_failed
Oct 20 21:18:15 bcsrv1 ravmd[14989]: delete_failed
Oct 20 21:18:15 bcsrv1 ravmd[14989]: rejected
Oct 20 21:18:27 bcsrv1 ravmd[15034]: clean_failed
Oct 20 21:18:27 bcsrv1 ravmd[15034]: delete_failed
Oct 20 21:18:27 bcsrv1 ravmd[15034]: rejected
======================================
and the following keeps showing up in what appears to be a loop, or is this normal
======================================
Oct 20 21:01:02 bcsrv1 ravmd[14160]: scanning mail from to .
Oct 20 21:01:02 bcsrv1 ravmd[14160]: scanning file (RAV14159)>.
Oct 20 21:01:02 bcsrv1 ravmd[14160]: file_ok
Oct 20 21:01:02 bcsrv1 ravmd[14160]: scanning file (RAV14159)->(part0000:)>.
Oct 20 21:01:02 bcsrv1 ravmd[14160]: file_ok
Oct 20 21:01:02 bcsrv1 ravmd[14160]: end_ok.
Oct 20 21:01:03 bcsrv1 ravmd[14167]: scanning mail from to .
Oct 20 21:01:03 bcsrv1 ravmd[14167]: scanning file (RAV14166)>.
Oct 20 21:01:03 bcsrv1 ravmd[14167]: file_ok
Oct 20 21:01:03 bcsrv1 ravmd[14167]: scanning file (RAV14166)->(part0000:)>.
Oct 20 21:01:03 bcsrv1 ravmd[14167]: file_ok
Oct 20 21:01:03 bcsrv1 ravmd[14167]: end_ok.
Oct 20 21:01:37 bcsrv1 ravmd[14195]: scanning mail from to .
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0000:)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0001:)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0002:)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0003:)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0004:eicar_com.zip)>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file_ok
Oct 20 21:01:38 bcsrv1 ravmd[14195]: scanning file (RAV14194)->(part0004:eicar_com.zip)->eicar.com>.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: infected with EICAR_Test_File.
Oct 20 21:01:38 bcsrv1 ravmd[14195]: file (RAV14194)> saved to .
Oct 20 21:01:38 bcsrv1 ravmd[14195]: recv_size=24
Oct 20 21:01:38 bcsrv1 last message repeated 3 times
Oct 20 21:01:38 bcsrv1 ravmd[14195]: clean_failed
Oct 20 21:01:38 bcsrv1 ravmd[14195]: recv_size=24
Oct 20 21:01:38 bcsrv1 ravmd[14195]: recv_size=24
Oct 20 21:01:38 bcsrv1 ravmd[14195]: delete_failed
Oct 20 21:01:38 bcsrv1 ravmd[14195]: recv_size=24
Oct 20 21:01:38 bcsrv1 ravmd[14195]: recv_size=24
Oct 20 21:01:38 bcsrv1 ravmd[14195]: rejected
Oct 20 21:01:38 bcsrv1 ravmd[14195]: end_infected.
Oct 20 21:01:38 bcsrv1 smtpd[14197]: SMTP HELO from bcsrv1.bridgesatbentcreek.com(192.168.1.1) as "bcsrv1.bridgesatbentcreek.com"
Oct 20 21:01:38 bcsrv1 smtpd[14197]: mail from
Oct 20 21:01:38 bcsrv1 smtpd[14197]: smtp connection from UNKNOWN@bcsrv1.bridgesatbentcreek.com(192.168.1.1) MAIL FROM: RCPT TO: , allowed by line 23 of /etc/smtpd_check_rules
Oct 20 21:01:38 bcsrv1 smtpd[14197]: Recipient
Oct 20 21:01:38 bcsrv1 smtpd[14197]: Received 977 bytes of message body from bcsrv1.bridgesatbentcreek.com(192.168.1.1)
Oct 20 21:01:41 bcsrv1 smtpfwdd[14200]: forwarding to recipient excrewmember@ctrlb.com
Oct 20 21:01:41 bcsrv1 ravmd[14203]: scanning mail from to .
Oct 20 21:01:42 bcsrv1 ravmd[14203]: scanning file (RAV14202)>.
Oct 20 21:01:42 bcsrv1 ravmd[14203]: file_ok
Oct 20 21:01:42 bcsrv1 ravmd[14203]: scanning file (RAV14202)->(part0000:)>.
Oct 20 21:01:42 bcsrv1 ravmd[14203]: file_ok
Oct 20 21:01:42 bcsrv1 ravmd[14203]: end_ok.
Oct 20 21:01:42 bcsrv1 smtpfwdd[14200]: smtpdV44r7E forwarded to 1 recipients
Oct 20 21:01:42 bcsrv1 ravmd[14207]: scanning mail from to .
Oct 20 21:01:43 bcsrv1 ravmd[14207]: scanning file (RAV14206)>.
Oct 20 21:01:43 bcsrv1 ravmd[14207]: file_ok
Oct 20 21:01:43 bcsrv1 ravmd[14207]: scanning file (RAV14206)->(part0000:)>.
Oct 20 21:01:43 bcsrv1 ravmd[14207]: file_ok
Oct 20 21:01:43 bcsrv1 ravmd[14207]: scanning file (RAV14206)->(part0001:)>.
Oct 20 21:01:43 bcsrv1 ravmd[14207]: file_ok
Oct 20 21:01:43 bcsrv1 ravmd[14207]: end_ok.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning mail from to .
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0000:)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0001:)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0002:)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0003:)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0004:eicar_com.zip)>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file_ok
Oct 20 21:03:42 bcsrv1 ravmd[14294]: scanning file (RAV14293)->(part0004:eicar_com.zip)->eicar.com>.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: infected with EICAR_Test_File.
Oct 20 21:03:42 bcsrv1 ravmd[14294]: file (RAV14293)> saved to .
Oct 20 21:03:42 bcsrv1 ravmd[14294]: recv_size=24
Oct 20 21:03:42 bcsrv1 last message repeated 3 times
===========================================
(sorry for the long post)
Does anyone (Darrell?) no why I am seeing these entries, and are they normal or is there a problem with my setup?
Thanks for your help.
Regards,
Patrick
-
Have a look in /var/spool/rav/qmail. If there is a message in there and it is looping, simply delete it.
Regards,
Darrell
-
Darrell,
There are no messages showing in the /var/spool/rav/qmail directory. However, there are hundreds of files in the /var/spool/rav/quarantine directory with names such as this (RAV17096), and my log files continue to show the following types of messages...I'd say there is some problem here, and RAV is looping OR it is simply having a problem fixing/cleaning/deleting the virus perhaps?
Here are the messages in the logs:
=======================================================
Oct 21 10:04:38 bcsrv1 smtpd[17256]: SMTP HELO from bcsrv1.bridgesatbentcreek.com(192.168.1.1) as "bcsrv1.bridgesatbentcreek.com"
Oct 21 10:04:38 bcsrv1 smtpd[17256]: mail from
Oct 21 10:04:38 bcsrv1 smtpd[17256]: smtp connection from UNKNOWN@bcsrv1.bridgesatbentcreek.com(192.168.1.1) MAIL FROM: RCPT TO: , allowed by line 23 of /etc/smtpd_check_rules
Oct 21 10:04:38 bcsrv1 smtpd[17256]: Recipient
Oct 21 10:04:38 bcsrv1 smtpd[17256]: Received 977 bytes of message body from bcsrv1.bridgesatbentcreek.com(192.168.1.1)
Oct 21 10:04:41 bcsrv1 smtpfwdd[17266]: forwarding to recipient excrewmember@ctrlb.com
Oct 21 10:04:41 bcsrv1 ravmd[17269]: scanning mail from to .
Oct 21 10:04:42 bcsrv1 ravmd[17269]: scanning file (RAV17268)>.
Oct 21 10:04:42 bcsrv1 ravmd[17269]: file_ok
Oct 21 10:04:42 bcsrv1 ravmd[17269]: scanning file (RAV17268)->(part0000:)>.
Oct 21 10:04:42 bcsrv1 ravmd[17269]: file_ok
Oct 21 10:04:42 bcsrv1 ravmd[17269]: end_ok.
Oct 21 10:04:42 bcsrv1 smtpfwdd[17266]: smtpduTF3ck forwarded to 1 recipients
Oct 21 10:04:42 bcsrv1 ravmd[17273]: scanning mail from to .
Oct 21 10:04:42 bcsrv1 ravmd[17273]: scanning file (RAV17272)>.
Oct 21 10:04:42 bcsrv1 ravmd[17273]: file_ok
Oct 21 10:04:42 bcsrv1 ravmd[17273]: scanning file (RAV17272)->(part0000:)>.
Oct 21 10:04:42 bcsrv1 ravmd[17273]: file_ok
Oct 21 10:04:42 bcsrv1 ravmd[17273]: scanning file (RAV17272)->(part0001:)>.
Oct 21 10:04:42 bcsrv1 ravmd[17273]: file_ok
Oct 21 10:04:42 bcsrv1 ravmd[17273]: end_ok.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning mail from to .
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0000:)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0001:)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0002:)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0002:)->(part0000:)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0003:)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0004:eicar_com.zip)>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file_ok
Oct 21 10:04:46 bcsrv1 ravmd[17279]: scanning file (RAV17278)->(part0004:eicar_com.zip)->eicar.com>.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: infected with EICAR_Test_File.
Oct 21 10:04:46 bcsrv1 ravmd[17279]: file (RAV17278)> saved to .
Oct 21 10:04:46 bcsrv1 ravmd[17279]: recv_size=24
Oct 21 10:04:46 bcsrv1 last message repeated 3 times
Oct 21 10:04:46 bcsrv1 ravmd[17279]: clean_failed
Oct 21 10:04:46 bcsrv1 ravmd[17279]: recv_size=24
Oct 21 10:04:46 bcsrv1 ravmd[17279]: recv_size=24
Oct 21 10:04:46 bcsrv1 ravmd[17279]: delete_failed
Oct 21 10:04:46 bcsrv1 ravmd[17279]: recv_size=24
Oct 21 10:04:46 bcsrv1 ravmd[17279]: recv_size=24
Oct 21 10:04:46 bcsrv1 ravmd[17279]: rejected
Oct 21 10:04:46 bcsrv1 ravmd[17279]: end_infected.
Oct 21 10:04:46 bcsrv1 smtpd[17281]: SMTP HELO from bcsrv1.bridgesatbentcreek.com(192.168.1.1) as "bcsrv1.bridgesatbentcreek.com"
Oct 21 10:04:46 bcsrv1 smtpd[17281]: mail from
Oct 21 10:04:46 bcsrv1 smtpd[17281]: smtp connection from UNKNOWN@bcsrv1.bridgesatbentcreek.com(192.168.1.1) MAIL FROM: RCPT TO: , allowed by line 23 of /etc/smtpd_check_rules
Oct 21 10:04:46 bcsrv1 smtpd[17281]: Recipient
Oct 21 10:04:46 bcsrv1 smtpd[17281]: Received 977 bytes of message body from bcsrv1.bridgesatbentcreek.com(192.168.1.1)
Oct 21 10:04:51 bcsrv1 smtpfwdd[17294]: forwarding to recipient excrewmember@ctrlb.com
Oct 21 10:04:51 bcsrv1 ravmd[17297]: scanning mail from to .
Oct 21 10:04:52 bcsrv1 ravmd[17297]: scanning file (RAV17296)>.
Oct 21 10:04:52 bcsrv1 ravmd[17297]: file_ok
Oct 21 10:04:52 bcsrv1 ravmd[17297]: scanning file (RAV17296)->(part0000:)>.
Oct 21 10:04:52 bcsrv1 ravmd[17297]: file_ok
Oct 21 10:04:52 bcsrv1 ravmd[17297]: end_ok.
Oct 21 10:04:52 bcsrv1 smtpfwdd[17294]: smtpdVWc7OO forwarded to 1 recipients
Oct 21 10:04:52 bcsrv1 ravmd[17304]: scanning mail from to .
Oct 21 10:04:53 bcsrv1 ravmd[17304]: scanning file (RAV17303)>.
Oct 21 10:04:53 bcsrv1 ravmd[17304]: file_ok
Oct 21 10:04:53 bcsrv1 ravmd[17304]: scanning file (RAV17303)->(part0000:)>.
Oct 21 10:04:53 bcsrv1 ravmd[17304]: file_ok
Oct 21 10:04:53 bcsrv1 ravmd[17304]: scanning file (RAV17303)->(part0001:)>.
Oct 21 10:04:53 bcsrv1 ravmd[17304]: file_ok
Oct 21 10:04:53 bcsrv1 ravmd[17304]: end_ok.
Oct 21 10:06:42 bcsrv1 ravmd[17444]: scanning mail from to .
Oct 21 10:06:42 bcsrv1 ravmd[17444]: scanning file (RAV17443)>.
Oct 21 10:06:42 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0000:)>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0001:)>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0002:)>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0003:)>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0004:eicar_com.zip)>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file_ok
Oct 21 10:06:43 bcsrv1 ravmd[17444]: scanning file (RAV17443)->(part0004:eicar_com.zip)->eicar.com>.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: infected with EICAR_Test_File.
Oct 21 10:06:43 bcsrv1 ravmd[17444]: file (RAV17443)> saved to .
Oct 21 10:06:43 bcsrv1 ravmd[17444]: recv_size=24
Oct 21 10:06:43 bcsrv1 last message repeated 3 times
Oct 21 10:06:43 bcsrv1 ravmd[17444]: clean_failed
Oct 21 10:06:43 bcsrv1 ravmd[17444]: recv_size=24
Oct 21 10:06:43 bcsrv1 ravmd[17444]: recv_size=24
Oct 21 10:06:43 bcsrv1 ravmd[17444]: delete_failed
Oct 21 10:06:43 bcsrv1 ravmd[17444]: recv_size=24
Oct 21 10:06:43 bcsrv1 ravmd[17444]: recv_size=24
Oct 21 10:06:43 bcsrv1 ravmd[17444]: rejected
Oct 21 10:06:43 bcsrv1 smtpd[17446]: SMTP HELO from bcsrv1.bridgesatbentcreek.com(192.168.1.1) as "bcsrv1.bridgesatbentcreek.com"
Oct 21 10:06:43 bcsrv1 smtpd[17446]: mail from
Oct 21 10:06:43 bcsrv1 smtpd[17446]: smtp connection from UNKNOWN@bcsrv1.bridgesatbentcreek.com(192.168.1.1) MAIL FROM: RCPT TO: , allowed by line 23 of /etc/smtpd_check_rules
Oct 21 10:06:43 bcsrv1 smtpd[17446]: Recipient
Oct 21 10:06:43 bcsrv1 ravmd[17444]: end_infected.
Oct 21 10:06:43 bcsrv1 smtpd[17446]: Received 977 bytes of message body from bcsrv1.bridgesatbentcreek.com(192.168.1.1)
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning mail from to .
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0000:)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0001:)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0002:)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0002:)->(part0000:)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0003:)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0004:eicar_com.zip)>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file_ok
Oct 21 10:06:50 bcsrv1 ravmd[17460]: scanning file (RAV17459)->(part0004:eicar_com.zip)->eicar.com>.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: infected with EICAR_Test_File.
Oct 21 10:06:50 bcsrv1 ravmd[17460]: file (RAV17459)> saved to .
Oct 21 10:06:50 bcsrv1 ravmd[17460]: recv_size=24
Oct 21 10:06:50 bcsrv1 last message repeated 3 times
Oct 21 10:06:50 bcsrv1 ravmd[17460]: clean_failed
Oct 21 10:06:50 bcsrv1 ravmd[17460]: recv_size=24
Oct 21 10:06:50 bcsrv1 ravmd[17460]: recv_size=24
Oct 21 10:06:50 bcsrv1 ravmd[17460]: delete_failed
Oct 21 10:06:50 bcsrv1 ravmd[17460]: recv_size=24
Oct 21 10:06:50 bcsrv1 ravmd[17460]: recv_size=24
Oct 21 10:06:50 bcsrv1 ravmd[17460]: rejected
Oct 21 10:06:50 bcsrv1 ravmd[17460]: end_infected.
=====================================================
Any other ideas? Thanks.
Regards,
Patrick
-
Actually, Patrick, I ran into the same problem, and all the files in the quarantine directory began with -. Consequently, I couldn't delete them--rm -f * gave me an error about an invalid option.
I ended up removing RAV, nuking the quarantine directory entirely, and then reinstalling. Certainly a brute-force approach, but it worked.
-
Ok, well I didn't "see" any files in /var/spool/rav/qmail through MC (Midnight Commander), but when I run ls -al in that directory I get the following - so maybe that will help you guys to help me. I guess these are "hidden" directory's - so how should I go about getting rid of them, and is it both or just one?
================================================
[root@bcsrv1 qmail]# ls -al
total 8
drwx--x--- 2 qmailq qmail 4096 Oct 21 11:44 .
drwxr-xr-x 4 root root 4096 Oct 20 16:38 ..
[root@bcsrv1 qmail]#
================================================
Dan - I'd like to try to fix this without removing and re-installing RAV, but if that's what it comes down to...well, thanks for the tip. Of course that wouldn't really make me feel comfortable that this won't happen again.
-
Patrick Basile wrote:
> [root@bcsrv1 qmail]# ls -al
> total 8
> drwx--x--- 2 qmailq qmail 4096 Oct 21 11:44 .
> drwxr-xr-x 4 root root 4096 Oct 20 16:38 ..
> [root@bcsrv1 qmail]#
> ================================================
It appears your ownership and directory rights are not set correctly. I would remove and reinstall RAV.
Darrell
-
Thanks, Darrell - I'll give that a try.
Below is the response I got from the folks at RAV, and I sent them another email earlier. No response to the second support request, but since RAV is in Europe maybe they were already out of the office.
===========================================
The log file looks OK, you have a working rav-qmail system. RAV scanns
every message that has the receiver or the sender domain in it's
configuration file. Every time it tries to
clean the file (clean_failed), then to delete the file (delete_failed)
and then it will reject the message.
For this test virus the clean is impossible because there is nothing to
'clean' in this case and the deletion is impossible because the file is
inside an archive and we do not modify the users archives as per policy.
Oct 20 22:53:53 bcsrv1 ravmd[21814]: recv_size=24
Oct 20 22:53:53 bcsrv1 ravmd[21814]: recv_size=24
Oct 20 22:53:53 bcsrv1 ravmd[21814]: delete_failed
Oct 20 22:53:53 bcsrv1 ravmd[21814]: recv_size=24
Oct 20 22:53:53 bcsrv1 ravmd[21814]: recv_size=24
Oct 20 22:53:53 bcsrv1 ravmd[21814]: rejected
The revc_size messages are some internal debug lines that will be
removed in the next rav-qmail release.
=================================================
-
Well, it appears the un-install/re-install did not fix my issue. I followed Darrell's HOW TO and uninstalled RAV, and then deleted the quarantine directory. There was no /var/spool/rav/qmail directory to delete (I guessed that was killed in the uninstall); BUT...after I re-installed...sure enough there was the same Eicar test virus showing up in the qmail folder (!?!?!) and it looks like once again RAV is looping on this file.
=====================================================
Oct 22 22:59:32 bcsrv1 ravmd[29508]: scanning file (RAV29506)->(part0004:eicar_com.zip)->eicar.com>.
Oct 22 22:59:32 bcsrv1 ravmd[29508]: infected with EICAR_Test_File.
Oct 22 22:59:32 bcsrv1 ravmd[29508]: file (RAV29506)> saved to .
Oct 22 22:59:32 bcsrv1 ravmd[29508]: recv_size=24
Oct 22 22:59:32 bcsrv1 last message repeated 3 times
Oct 22 22:59:32 bcsrv1 ravmd[29508]: clean_failed
Oct 22 22:59:32 bcsrv1 ravmd[29508]: recv_size=24
Oct 22 22:59:32 bcsrv1 ravmd[29508]: recv_size=24
Oct 22 22:59:32 bcsrv1 ravmd[29508]: delete_failed
Oct 22 22:59:32 bcsrv1 ravmd[29508]: recv_size=24
Oct 22 22:59:32 bcsrv1 ravmd[29508]: recv_size=24
Oct 22 22:59:32 bcsrv1 ravmd[29508]: rejected
======================================================
What am I doing wrong? :(
Thanks for your help.
-
Don't know. However as a guess, you may try the following to clear out this bogus e-mail:
cd /usr/local/rav8/etc
cp ravmd.conf ravmd.conf.1
pico /usr/local/rav8/etc/ravmd.conf
scroll down, change these '_define_actions' settings and save the file:
act_for_infected_files = ignore
act_for_suspicious_files = ignore
then restart rav:
/etc/rc.d/init.d/ravmail restart
This might allow the message to be delivered and clear the queue. Watch the logs to confirm. When it appears the problem clears, return the original config and restart rav again:
cd /usr/local/rav8/etc
mv ravmd.conf.1 ravmd.conf
/etc/rc.d/init.d/ravmail restart
If this does not work, follow up with rav directly.
Cheers,
Darrell
-
Darrell,
Your "guess" worked like a charm! Based on what I can see in the maillog file the Eicar test virus has gone through, and RAV is no longer looping on that message/virus.
Thanks a lot...your help is GREATLY appreciated! :)
Now I'm off to see about implementing the attachment blocking by file type...and hoping that goes without too many 'hitches'.
Regards,
Patrick
-
Patrick Basile wrote:
>
> Darrell,
>
> Your "guess" worked like a charm! Based on what I can see in
> the maillog file the Eicar test virus has gone through, and
> RAV is no longer looping on that message/virus.
>
> Thanks a lot...your help is GREATLY appreciated! :)
Your welcome. I'll add this solution into a Howto and post online.
Darrell
-
Hey guys,
RAV has been running on my e-smith 4.1.2 server for several days now, and for the most past appears to be working well. BUT, I've been noticing that some email causes the following LICENSE LIMIT message to occur, and it says the mail was "not scanned".
=========================================================
Oct 23 23:31:00 bcsrv1 smtpd[2548]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Oct 23 23:31:00 bcsrv1 smtpd[2548]: mail from
Oct 23 23:31:00 bcsrv1 smtpd[2548]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 22 of /etc/smtpd_check_rules
Oct 23 23:31:00 bcsrv1 smtpd[2548]: Recipient
Oct 23 23:31:00 bcsrv1 smtpd[2548]: Received 4683 bytes of message body from localhost(127.0.0.1)
Oct 23 23:31:00 bcsrv1 smtpfwdd[2551]: forwarding to recipient lgolden@mail.bridgesatbentcreek.com
Oct 23 23:31:00 bcsrv1 ravmd[2554]: LICENSE LIMIT: the mail (RAV2553)> sent by to was not scanned!
Oct 23 23:31:00 bcsrv1 smtpfwdd[2551]: smtpdeavLBx forwarded to 1 recipients
Oct 23 23:31:01 bcsrv1 ravmd[2565]: scanning mail from to .
Oct 23 23:31:01 bcsrv1 ravmd[2565]: scanning file (RAV2564)>.
Oct 23 23:31:01 bcsrv1 ravmd[2565]: file_ok
Oct 23 23:31:01 bcsrv1 ravmd[2565]: scanning file (RAV2564)->(part0000:)>.
Oct 23 23:31:01 bcsrv1 ravmd[2565]: file_ok
Oct 23 23:31:01 bcsrv1 ravmd[2565]: end_ok.
=========================================================
Any ideas on this? Is it because I'm running RAV in evaluation mode?
Also, this particular mail (and many others like it) appear to be spam. I've seen Darrell's HOW TO for adding procmail recipes by user, but is there a way to setup procmail with domain wide (all users) recipes to help curb the tide of spam?
As always, thanks for your help/tips/ideas/insight. :)
Regards,
Patrick
-
License has expired....
Remove RAV and restart your mail deamons again. Until then your mail is not processed.
HFW
-
HFW,
I am running RAV with the evaluation license, and it was just installed on the server last weekend...so I doubt an "expired" license is the problem. In fact, if you look down in my post you will see that RAV is scanning other files - or at least it says it is.
Thanks.
Patrick
-
Oops,
Sorry Patrick. You have to add all your virtual domains to the rav config file. The evalutaion has 2 resitrictions though, 30 day's eval and max 2 domains.
RequestedDeletion
-
Okay, why is RAV giving this LICENSE LIMIT message? (see below)
It says the mail was not scanned!? Shouldn't it be scanning ALL mail?!?!
Any ideas? And yes, I do have RAV setup in the 'evaluation' mode at the moment.
Thanks.
===================================================
Nov 2 00:30:23 bcsrv1 smtpd[7583]: SMTP HELO from localhost(127.0.0.1) as "localhost"
Nov 2 00:30:23 bcsrv1 smtpd[7583]: mail from
Nov 2 00:30:23 bcsrv1 smtpd[7583]: smtp connection from UNKNOWN@localhost(127.0.0.1) MAIL FROM: RCPT TO: , allowed by line 22 of /etc/smtpd_check_rules
Nov 2 00:30:23 bcsrv1 smtpd[7583]: Recipient
Nov 2 00:30:23 bcsrv1 smtpd[7583]: Received 2162 bytes of message body from localhost(127.0.0.1)
Nov 2 00:30:30 bcsrv1 smtpfwdd[7588]: forwarding to recipient nknisely@mail.bridgesatbentcreek.com
Nov 2 00:30:30 bcsrv1 ravmd[7591]: LICENSE LIMIT: the mail (RAV7590)> sent by to was not scanned!
Nov 2 00:30:30 bcsrv1 ravmd[7596]: scanning mail from to .
Nov 2 00:30:30 bcsrv1 smtpfwdd[7588]: smtpdjmLDdB forwarded to 1 recipients
Nov 2 00:30:30 bcsrv1 ravmd[7596]: scanning file (RAV7595)>.
Nov 2 00:30:30 bcsrv1 ravmd[7596]: file_ok
Nov 2 00:30:30 bcsrv1 ravmd[7596]: scanning file (RAV7595)->(part0000:)>.
Nov 2 00:30:30 bcsrv1 ravmd[7596]: file_ok
Nov 2 00:30:30 bcsrv1 ravmd[7596]: end_ok.
========================================================