[Postfixbuch-users] amavis-new findet keine vieren, nur gesperrte datei endungen
Carsten Henkel
carsten at chatlabel.de
Mo Jan 3 09:04:20 CET 2005
Guten Morgen ,
ich nutze suse-linux 9.1 mit amavis antivir clam und spamassasin.
über testvirus.de kann man sich einen testvirus mailen lassen,
dieser wird gefunden, da es sich um eine gesperrte .exe endung
handelt. wenn ich mir nun selbst einen eicar.zip sende, dann wird
dieser ausgeliefert ohne das ein virus gemeldet wird. die mail
selbst geht aber durch den scanner:
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) Passed, <carsten at chatlabel.de> -> <carsten at chatlabel.de>, Message-ID: <1326565394.20050103085224 at chatlabel.de>, Hits: -
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) sending SMTP response: "250 2.6.0 Ok, id=04788-05, from MTA: 250 Ok: queued as 43FA0C0125"
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) timer stopped after DATA end
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) rmdir_recursively: /var/spool/amavis/amavis-20050103T082529-04788/parts, excl=1
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) TIMING [total 10195 ms] - SMTP EHLO: 3 (0%), SMTP pre-MAIL: 3 (0%), SMTP pre-DATA-flush: 6 (0%), SMTP DATA: 36 (0%), body hash: 1 (0%), mime_decode: 35 (0%), get-file-type: 16 (0%), get-file-type: 7 (0%), decompose_part: 5 (0%), decompose_part: 8 (0%), get-file-type: 7 (0%), decompose_part: 10 (0%), get-file-type: 8 (0%), decompose_part: 4 (0%), parts: 0 (0%), fwd-connect: 9940 (98%), fwd-mail-from: 3 (0%), fwd-rcpt-to: 3 (0%), write-header: 7 (0%), fwd-data: 1 (0%), fwd-data-end: 74 (1%), fwd-rundown: 3 (0%), unlink-2-files: 14 (0%), rundown: 1 (0%)
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) ESMTP> 250 2.6.0 Ok, id=04788-05, from MTA: 250 Ok: queued as 43FA0C0125
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) prolong_timer after reading SMTP command: remaining time = 0 s
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) ESMTP< QUIT\r\n
Jan 3 09:04:31 london.chatlabel.de amavisd[4788]: (04788-05) ESMTP> 221 2.0.0 [127.0.0.1] (amavisd) closing transmission channel
hier meine amavis.conf:
use strict;
$MYHOME = '/var/spool/amavis';
$daemon_user = 'vscan';
$daemon_group = 'vscan';
<%o> -> [<%R>|,][? %i ||, quarantine %i], Message-ID: %m, Hits: %c';
$final_spam_destiny = D_PASS;
$viruses_that_fake_sender_re = new_RE(
qr'nimda|hybris|klez|bugbear|yaha|braid|sobig|fizzer|palyh|peido|holar'i,
qr'tanatos|lentin|bridex|mimail|trojan\.dropper|dumaru|parite|spaces'i,
qr'dloader|galil|gibe|swen|netwatch|bics|sbrowse|sober|rox|val(hal)?la'i,
qr'frethem|sircam|be?agle|tanx|mydoom|novarg|shimg|netsky|somefool|moodown'i,
[qr'^(EICAR|Joke\.|Junk\.)'i => 0],
[qr'^(WM97|OF97|W95/CIH-|JS/Fort)'i => 0],
);
$virus_admin = "virusalert\@$mydomain";
$mailfrom_notify_admin = "virusalert\@$mydomain";
$mailfrom_notify_recip = "virusalert\@$mydomain";
$mailfrom_notify_spamadmin = "spam.police\@$mydomain";
$QUARANTINEDIR = '/var/spool/amavis/virusmails';
$spam_quarantine_to = undef;
$X_HEADER_LINE = "by amavisd-new at $mydomain";
$keep_decoded_original_re = new_RE(
qr'^(ASCII(?! cpio)|text|uuencoded|xxencoded|binhex)'i,
);
$banned_filename_re = new_RE(
qr'^application/x-msdos-program$'i,
);
$blacklist_sender_re = new_RE(
qr'^(bulkmail|offers|cheapbenefits|earnmoney|foryou|greatcasino)@'i,
qr'^(investments|lose_weight_today|market.alert|money2you|MyGreenCard)@'i,
qr'^(new\.tld\.registry|opt-out|opt-in|optin|saveonlsmoking2002k)@'i,
qr'^(specialoffer|specialoffers|stockalert|stopsnoring|wantsome)@'i,
qr'^(workathome|yesitsfree|your_friend|greatoffers)@'i,
qr'^(inkjetplanet|marketopt|MakeMoney)\d*@'i,
);
map { $whitelist_sender{lc($_)}=1 } (qw(
nobody at cert.org
owner-alert at iss.net
slashdot at slashdot.org
bugtraq at securityfocus.com
NTBUGTRAQ at LISTSERV.NTBUGTRAQ.COM
security-alerts at linuxsecurity.com
amavis-user-admin at lists.sourceforge.net
notification-return at lists.sophos.com
mailman-announce-admin at python.org
owner-postfix-users at postfix.org
owner-postfix-announce at postfix.org
owner-sendmail-announce at Lists.Sendmail.ORG
owner-technews at postel.ACM.ORG
lvs-users-admin at LinuxVirtualServer.org
ietf-123-owner at loki.ietf.org
cvs-commits-list-admin at gnome.org
rt-users-admin at lists.fsck.com
clp-request at comp.nus.edu.sg
surveys-errors at lists.nua.ie
emailNews at genomeweb.com
owner-textbreakingnews at CNNIMAIL12.CNN.COM
yahoo-dev-null at yahoo-inc.com
returns.groups.yahoo.com
));
$path = '/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bin';
$gzip = 'gzip';
$bzip2 = 'bzip2';
$lzop = 'lzop';
$uncompress = ['uncompress', 'gzip -d', 'zcat'];
$unfreeze = ['unfreeze', 'freeze -d', 'melt', 'fcat'];
$arc = ['nomarch', 'arc'];
$zoo = 'zoo';
$lha = 'lha';
$sa_tag2_level_deflt = 5.0;
@av_scanners = (
['Clam Antivirus-clamd',
\&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamav/clamd"],
qr/\bOK$/, qr/\bFOUND$/,
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
['KasperskyLab AVP - aveclient',
['/usr/local/kav/bin/aveclient','/usr/local/share/kav/bin/aveclient',
'/opt/kav/bin/aveclient','aveclient'],
'-p /var/run/aveserver -s {}/*', [0,3,6,8], qr/\b(INFECTED|SUSPICION)\b/,
qr/(?:INFECTED|SUSPICION) (.+)/,
],
['KasperskyLab AntiViral Toolkit Pro (AVP)', ['avp'],
'-* -P -B -Y -O- {}', [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: (.+)/,
sub {chdir('/opt/AVP') or die "Can't chdir to AVP: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
['KasperskyLab AVPDaemonClient',
[ '/opt/AVP/kavdaemon', 'kavdaemon',
'/opt/AVP/AvpDaemonClient', 'AvpDaemonClient',
'/opt/AVP/AvpTeamDream', 'AvpTeamDream',
'/opt/AVP/avpdc', 'avpdc' ],
"-f=$TEMPBASE {}", [0,8,16,24], [2,3,4,5,6, 18,19,20,21,22],
qr/infected: ([^\r\n]+)/ ],
['H+BEDV AntiVir or CentralCommand Vexira Antivirus',
['antivir','vexira'],
'--allfiles -noboot -nombr -rs -s -z {}', [0], qr/ALERT:|VIRUS:/,
qr/(?x)^\s* (?: ALERT: \s* (?: \[ | [^']* ' ) |
(?i) VIRUS:\ .*?\ virus\ '?) ( [^\]\s']+ )/ ],
['Command AntiVirus for Linux', 'csav',
'-all -archive -packed {}', [50], [51,52,53],
qr/Infection: (.+)/ ],
['Symantec CarrierScan via Symantec CommandLineScanner',
'cscmdline', '-a scan -i 1 -v -s 127.0.0.1:7777 {}',
qr/^Files Infected:\s+0$/, qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
['Symantec AntiVirus Scan Engine',
'savsecls', '-server 127.0.0.1:7777 -mode scanrepair -details -verbose {}',
[0], qr/^Infected\b/,
qr/^(?:Info|Virus Name):\s+(.+)/ ],
['drweb - DrWeb Antivirus',
['/usr/local/drweb/drweb', '/opt/drweb/drweb', 'drweb'],
'-path={} -al -go -ot -cn -upn -ok-',
[0,32], [1,33], qr' infected (?:with|by)(?: virus)? (.*)$'],
['F-Secure Antivirus', 'fsav',
'--dumb --mime --archive {}', [0], [3,8],
qr/(?:infection|Infected|Suspected): (.+)/ ],
['CAI InoculateIT', 'inocucmd',
'-sec -nex {}', [0], [100],
qr/was infected by virus (.+)/ ],
['MkS_Vir for Linux (beta)', ['mks32','mks'],
'-s {}/*', [0], [1,2],
qr/--[ \t]*(.+)/ ],
['MkS_Vir daemon',
'mksscan', '-s -q {}', [0], [1..7],
qr/^... (\S+)/ ],
['ESET Software NOD32', 'nod32',
'-all -subdir+ {}', [0], [1,2],
qr/^.+? - (.+?)\s*(?:backdoor|joke|trojan|virus|worm)/ ],
['ESET Software NOD32 - Client/Server Version', 'nod32cli',
'-a -r -d recurse --heur standard {}', [0], [10,11],
qr/^\S+\s+infected:\s+(.+)/ ],
['Norman Virus Control v5 / Linux', 'nvccmd',
'-c -l:0 -s -u {}', [0], [1],
qr/(?i).* virus in .* -> \'(.+)\'/ ],
['Panda Antivirus for Linux', ['pavcl'],
'-aut -aex -heu -cmp -nbr -nor -nso -eng {}',
qr/Number of files infected[ .]*: 0(?!\d)/,
qr/Number of files infected[ .]*: 0*[1-9]/,
qr/Found virus :\s*(\S+)/ ],
['NAI McAfee AntiVirus (uvscan)', 'uvscan',
'--secure -rv --mime --summary --noboot - {}', [0], [13],
qr/(?x) Found (?:
\ the\ (.+)\ (?:virus|trojan) |
\ (?:virus|trojan)\ or\ variant\ ([^ ]+) |
:\ (.+)\ NOT\ a\ virus)/,
],
['VirusBuster', ['vbuster', 'vbengcl'],
"{} -ss -i '*' -log=$MYHOME/vbuster.log", [0], [1],
qr/: '(.*)' - Virus/ ],
['CyberSoft VFind', 'vfind',
],
['Ikarus AntiVirus for Linux', 'ikarus',
'{}', [0], [40], qr/Signature (.+) found/ ],
['BitDefender', 'bdc',
'--all --arc --mail {}', qr/^Infected files *:0(?!\d)/,
qr/^(?:Infected files|Identified viruses|Suspect files) *:0*[1-9]/,
qr/(?:suspected|infected): (.*)$/ ],
);
@av_scanners_backup = (
['Clam Antivirus - clamscan', 'clamscan',
'--stdout --no-summary -r {}', [0], [1],
qr/^.*?: (?!Infected Archive)(.*) FOUND$/ ],
['FRISK F-Prot Antivirus', ['f-prot','f-prot.sh'],
'-dumb -archive -packed {}', [0,8], [3,6],
qr/Infection: (.+)/ ],
['Trend Micro FileScanner', ['/etc/iscan/vscan','vscan'],
'-za -a {}', [0], qr/Found virus/, qr/Found virus (.+) in/ ],
['KasperskyLab kavscanner', ['/opt/kav/bin/kavscanner','kavscanner'],
'-i1 -xp {}', [0,10,15], [5,20,21,25],
qr/(?:CURED|INFECTED|CUREFAILED|WARNING|SUSPICION) (.*)/ ,
sub {chdir('/opt/kav/bin') or die "Can't chdir to kav: $!"},
sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},
],
);
kann mir bitte jemand auf die sprünge helfen ?
gruß und danke
--
Mit freundlichen Grüssen
Carsten Henkel mailto:carsten at chatlabel.de
Wenn ich von Pünktlichkeit spreche und Verlässlichkeit, meine ich nicht ein mechanisches, bürokratisches Verhalten, sondern ein Verhalten, das der Achtung vor dem anderen Menschen entspringt. (J. R. Becher)
dieser Text ist zufällig gewählt und hat nichts mit dem Empfänger der e-Mail zu tun.
Carsten Henkel
Passauer Straße 7
94577 Winzer
tel.: 0049 (0)180-3684398-360
fax.: 0049 (0)180-3684398-039
http://chatlabel.de
http://radio.chatlabel.de
Mehr Informationen über die Mailingliste Postfixbuch-users