You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Chris Simmons <ch...@NetChris.com> on 2004/04/22 01:05:35 UTC
Praxis Antivirus matcher
Hello:
I have been trying to get the Praxis antivirus matcher
(it.praxis.james.matchers.IsInfected) to work. I am having an issue
however in that the antivirus program always errors out. I am sure it's
something I've overlooked, not a problem with the matcher (probably
something with the Java language or system settings I'm missing). In any
case, I'd like to pick y'all's brains anyway. Here's the setup:
Linux (RedHat 9)
James 3.0a1 (Did the same thing with 2.1)
F-Prot Antivirus for Linux Workstations
Here is the config.xml section I have:
<!-- *** START SNIPPET *** -->
<mailet match="IsInfected=/usr/local/bin/f-prot -old -archive
-report=%reportFile% %targetDir%/*.tt,
/usr/local/james/virus_scanner_temp, true, 3" class="ToProcessor">
<processor> virus </processor>
</mailet>
<!-- *** END SNIPPET *** -->
Here is a sample report file when f-prot is run by the matcher:
*** START FILE ***
Virus scanning report - 11 April 2004 @ 22:01
F-PROT ANTIVIRUS
Program version: 4.3.2
Engine version: 3.14.7
VIRUS SIGNATURE FILES
SIGN.DEF created 8 April 2004
SIGN2.DEF created 8 April 2004
MACRO.DEF created 24 March 2004
Search: /usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE
-REPORT=/usr/local/james/virus_scanner_temp/virus6422487423725853807/scanR
eport.txt -OLD
Error on reading
/usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt
Results of virus scanning:
Files: 0
MBRs: 0
Boot sectors: 0
Objects scanned: 0
Time: 0:00
No viruses or suspicious files/boot sectors were found.
*** END FILE ***
The only problem being reported as:
"Error on reading
/usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt"
To troubleshoot the problem, I recompiled the source and commented out the
code to delete the attachments. I also logged the EXACT command line
being executed by the matcher. After a mail arrived, I looked at the log,
got the command line and executed it (of course, verifying the temporary
file(s) were persisted instead of deleted). Manually executing the
command line got me the following output:
*** START FILE ***
Virus scanning report - 11 April 2004 @ 22:19
F-PROT ANTIVIRUS
Program version: 4.3.2
Engine version: 3.14.7
VIRUS SIGNATURE FILES
SIGN.DEF created 8 April 2004
SIGN2.DEF created 8 April 2004
MACRO.DEF created 24 March 2004
Search:
/usr/local/james/virus_scanner_temp/virus6422487423725853807/content50022.
tt
Action: Report only
Files: Attempt to identify files
Switches: -ARCHIVE
-REPORT=/usr/local/james/virus_scanner_temp/virus6422487423725853807/scanR
eport.txt -OLD
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Time: 0:00
No viruses or suspicious files/boot sectors were found.
*** END FILE ***
So, you see, the command is valid. The next thing I thought was that
perhaps the file(s) hadn't had a chance to be written to disk before the
mailet executed the command (forgive my lack of knowledge of the Java
system - is this even possible?). To disprove this theory, I hard-coded
the same command line in the matcher so that upon a mail arrival, the
matcher would just execute a known-good command on known-existing files.
Still no luck (same report file as above).
So, I'm stuck. Does anyone have any idea what I may be doing wrong?
--
Thanks,
Chris Simmons
web@NetChris.com
Re: Praxis Antivirus matcher
Posted by Russ Ochsner <ru...@ochsner.net>.
Hi Chris,
I believe I ran into the same problem under both MacOS X and Win2k
using clamav.
My guess is that the asterisk is not being expanded, probably because
the IsInfected matcher is not opening up the AV program in a shell that
can expand the wildcard.
I was able to get clamav working under MacOS X by having the matcher
call a shell script (below) where I knew that the asterisk would be
expanded into all the files. Under Win2k I couldn't get the same method
to work. It turns out that you can pass a directory to clamav instead
of just files, so I just used %targetDir% instead of %targetDir%/*.tt
as the argument.
Hope this helps.
-Russ
#!/bin/bash
# Log the arguments for troubleshooting
echo $* >> /private/tmp/clam.log
# Launch AntiVirus program
/usr/local/bin/clamscan $*
On Apr 21, 2004, at 7:05 PM, Chris Simmons wrote:
> Hello:
>
> I have been trying to get the Praxis antivirus matcher
> (it.praxis.james.matchers.IsInfected) to work. I am having an issue
> however in that the antivirus program always errors out. I am sure
> it's
> something I've overlooked, not a problem with the matcher (probably
> something with the Java language or system settings I'm missing). In
> any
> case, I'd like to pick y'all's brains anyway. Here's the setup:
> Linux (RedHat 9)
> James 3.0a1 (Did the same thing with 2.1)
> F-Prot Antivirus for Linux Workstations
>
> Here is the config.xml section I have:
> <!-- *** START SNIPPET *** -->
> <mailet match="IsInfected=/usr/local/bin/f-prot -old -archive
> -report=%reportFile% %targetDir%/*.tt,
> /usr/local/james/virus_scanner_temp, true, 3" class="ToProcessor">
> <processor> virus </processor>
> </mailet>
> <!-- *** END SNIPPET *** -->
>
>
> Here is a sample report file when f-prot is run by the matcher:
> *** START FILE ***
> Virus scanning report - 11 April 2004 @ 22:01
>
> F-PROT ANTIVIRUS
> Program version: 4.3.2
> Engine version: 3.14.7
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 8 April 2004
> SIGN2.DEF created 8 April 2004
> MACRO.DEF created 24 March 2004
>
> Search:
> /usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt
> Action: Report only
> Files: Attempt to identify files
> Switches: -ARCHIVE
> -REPORT=/usr/local/james/virus_scanner_temp/virus6422487423725853807/
> scanR
> eport.txt -OLD
>
> Error on reading
> /usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt
>
> Results of virus scanning:
>
> Files: 0
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 0
>
> Time: 0:00
>
> No viruses or suspicious files/boot sectors were found.
> *** END FILE ***
>
> The only problem being reported as:
> "Error on reading
> /usr/local/james/virus_scanner_temp/virus6422487423725853807/*.tt"
>
> To troubleshoot the problem, I recompiled the source and commented out
> the
> code to delete the attachments. I also logged the EXACT command line
> being executed by the matcher. After a mail arrived, I looked at the
> log,
> got the command line and executed it (of course, verifying the
> temporary
> file(s) were persisted instead of deleted). Manually executing the
> command line got me the following output:
> *** START FILE ***
> Virus scanning report - 11 April 2004 @ 22:19
>
> F-PROT ANTIVIRUS
> Program version: 4.3.2
> Engine version: 3.14.7
>
> VIRUS SIGNATURE FILES
> SIGN.DEF created 8 April 2004
> SIGN2.DEF created 8 April 2004
> MACRO.DEF created 24 March 2004
>
> Search:
> /usr/local/james/virus_scanner_temp/virus6422487423725853807/
> content50022.
> tt
> Action: Report only
> Files: Attempt to identify files
> Switches: -ARCHIVE
> -REPORT=/usr/local/james/virus_scanner_temp/virus6422487423725853807/
> scanR
> eport.txt -OLD
>
>
> Results of virus scanning:
>
> Files: 1
> MBRs: 0
> Boot sectors: 0
> Objects scanned: 1
>
> Time: 0:00
>
> No viruses or suspicious files/boot sectors were found.
> *** END FILE ***
>
> So, you see, the command is valid. The next thing I thought was that
> perhaps the file(s) hadn't had a chance to be written to disk before
> the
> mailet executed the command (forgive my lack of knowledge of the Java
> system - is this even possible?). To disprove this theory, I
> hard-coded
> the same command line in the matcher so that upon a mail arrival, the
> matcher would just execute a known-good command on known-existing
> files.
> Still no luck (same report file as above).
>
> So, I'm stuck. Does anyone have any idea what I may be doing wrong?
>
> --
> Thanks,
> Chris Simmons
> web@NetChris.com
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
RE: Why does my mail go into the recipient's bulk folder instead of his inbox
Posted by "Noel J. Bergman" <no...@devtech.com>.
> James is sending my mail, but it seems to go into the
> recipient's bulk folder instead of his inbox.
My guess is that you computer is in a DHCP pool, which many mail systems
consider is a priori spam.
--- Noel
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org
Why does my mail go into the recipient's bulk folder instead of his inbox
Posted by Amarish Khopkar <am...@yahoo.com>.
I'm having an interesting problem, where James is
sending my mail, but it seems to go into the
recipient's bulk folder instead of his inbox. Any
idea why?
Amarish
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org