Mailing List CGatePro@mail.stalker.com Message #103278
From: Nicolas Hatier <nicolas.hatier@niversoft.com>
Subject: Re: Can't get cgpav to work with cgpro
Date: Thu, 03 May 2012 14:50:42 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>

From your log excerpt, we can't tell why your filter doesn't work, as cgpav seems to remember message it already scanned and won't scan them twice (inp(041): * 674 Previously-scanned message detected). Please try with a different message, and send the log excerpt if relevant.

If you decide to purchase CGP-ClamAV, you won't need your existing clamav installation, including clamd and freshclam.

Regards
Nicolas Hatier

On 2012-05-03 13:34, Jonathan Weinraub wrote:

I actually was considering Niversoft. I already own their skin. Was also considering their winmail.dat converter too but was under the impression their filter was just a fork of what I'm using now   I'll give it a shot but I really like to know why the free one doesn't work. The very least to satisfy my curiosity...  So if I use Niver's, do I need to remove the daemons I have now, the freshclam, etc?


From: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] On Behalf Of Nicolas Hatier
Sent: Wednesday, May 02, 2012 4:45 PM
To: CommuniGate Pro Discussions
Subject: Re: Can't get cgpav to work with cgpro

 


I would say the answer is on this line:
inp(041): * 674 Previously-scanned message detected

Try again with another message.

The last time I tested it, a few years ago, the cgpav+clamav pair had one issue processing CGP messages.

First, a disclaimer, we sell a cgp antivirus helper which relies on the ClamAV engine but does not have the issue described, so this may sound like a sales pitch, and probably is, but this is still a real issue:

ClamAV (clamd, clamdscan, etc), as installed by default, scans a whole file. There is magic numbers and detection methods in libclamav to determine the type of file to be scanned, and perform the correct extraction action to scan all parts.

Unfortunately, the CGP envelope information prevents libclamav from correctly detecting the type of a CGP message. It identifies it as a plain mbox file and is able to do a shallow scan on it. However, if there was a virus embedded, for instance, in a zip file contained in a rfc822 mime part, libclamav wouldn't extract it and wouldn't be able to detect the virus.

Due to its architecture, relying on the communication channel with clamd, cgpav has only one way to fix this issue - by making a copy of the message file to scan, without the cgp envelope information. I just re-checked the cgpav code and I didn't find any indication of it doing so, but I may be wrong. Nevertheless, if cgpav does copy the file, this means a performance hit on the processing.

Also, having to perform type detection on the file is quite useless for a mail scanner as we should already know it's a mail file. Cgpav connect CGP with a "general-purpose" virus scanner.

This said, cgpav is, as far as I know, excellent with SpamAssassin.

We solved these issues and improved the virus-scanning performance by linking the clamav engine directly in our helper, and by modifying its entry points to use the correct mail scanning procedure without detection. No inter-process communication, no magic numbers involved, we got rid of the clamd/clamav client and just integrated the clamav engine directly in a dedicated CGP helper, CGP-ClamAV.

I'm pretty sure other people on the list who run CGP-ClamAV would agree CGP-ClamAV is fire and forget, as the filter also automatically updates its virus database as soon as a new one is available. And it's not even expensive.

Best regards
Nicolas Hatier

Nicolas Hatier, ing. <nicolas.hatier@niversoft.com>
Niversoft idées logicielles - http://www.niversoft.com


On 2012-05-02 16:07, Jonathan Weinraub wrote:

I had setup cgpav and cgpsa on my web/mail server.  I got spam assassin working fine, just I can't get ClamAV to actually work.  Well,  it works from the command prompt, but it doesn't work with cgpro itself,  it just says OK.

See the below logs for reference.

Any assistance would be greatly appreciated.

Thanks.....

15:52:14.003 4 EXTFILTER(cgpav) out(026): 673 FILE Queue/130676.msg\n
15:52:14.008 4 EXTFILTER(cgpav) inp(006): 673 OK
15:52:14.008 4 EXTFILTER(cgpsa) out(026): 674 FILE Queue/130676.msg\n
15:52:14.016 4 EXTFILTER(cgpsa) inp(072): * 674 Processing CGP header line: P I 30-04-2012 19:52:14 0000 ____ ____
15:52:14.016 4 EXTFILTER(cgpsa) inp(038): * 674   <jonathan@myserver.net>\n
15:52:14.017 4 EXTFILTER(cgpsa) inp(045): * 674 Return-Path: jonathan@myserver.net
15:52:14.017 4 EXTFILTER(cgpsa) inp(093): * 674 Processing CGP header line: R W 30-04-2012 19:52:14 0000 ____ _FY_ <jon@myserver.net>\n
15:52:14.017 4 EXTFILTER(cgpsa) inp(062): * 674 Using default SpamAssassin settings for jon@myserver.net
15:52:14.017 4 EXTFILTER(cgpsa) inp(052): * 674 Processing CGP header line: S PIPE [0.0.0.0]\n
15:52:14.017 4 EXTFILTER(cgpsa) inp(039): * 674 Processing CGP header line: O T\n
15:52:14.017 4 EXTFILTER(cgpsa) inp(036): * 674 Processing CGP header line: \n
15:52:14.017 4 EXTFILTER(cgpsa) inp(037): * 674 Finished processing CGP headers
15:52:14.018 4 EXTFILTER(cgpsa) inp(041): * 674 Previously-scanned message detected
15:52:14.018 4 EXTFILTER(cgpsa) inp(006): 674 OK
15:52:14.018 2 QUEUE([130676]) enqueued
15:52:14.021 2 MAILBOX(jonathan/INBOX) {558} appended @4557186: 59+1561 bytes
15:52:14.022 2 MAILBOX(jonathan/INBOX) [130676] stored as {558}
15:52:14.022 2 ACCOUNT(jonathan) [130676] delivered
15:52:14.022 2 DEQUEUER [130676] LOCAL(jonathan) delivered: Delivered to the user mailbox

web:/var/CommuniGate# ./cgpav
1 FILE eicar.com
1 ADDHEADER "X-Virus-Flag: Yes"


web:/var/CommuniGate# clamscan
/var/CommuniGate/ProcessID: OK
/var/CommuniGate/cgpav: OK
/var/CommuniGate/cgpsa: OK
/var/CommuniGate/@: OK
/var/CommuniGate/eicar.com: Eicar-Test-Signature FOUND
/var/CommuniGate/spam.msg: OK

----------- SCAN SUMMARY -----------
Known viruses: 1208850
Engine version: 0.97.3
Scanned directories: 1
Scanned files: 6
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.53:1)
Time: 8.048 sec (0 m 8 s)

web:/var/CommuniGate# ps aux | grep cgp
root      5566  0.0  0.0      0     0 ?        Z    16:50   0:00 [cgpsa] <defunct>
root      5573  0.0  0.1   1812   572 ttyp0    S+   16:51   0:00 grep cgp
root     26549  0.0  0.2   4368  1056 ?        S    Apr14   0:00 /var/CommuniGate/cgpav
root     31784  0.0  6.2  37088 32828 ?        S    15:44   0:02 /usr/bin/perl /var/CommuniGate/cgpsa

#############################################################
 
This
message is sent to you because you are subscribed to
 
  the mailing list <CGatePro@mail.stalker.com>.
 
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
 
To switch to the
DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
 
To
switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
 
Send
administrative queries to  <CGatePro-request@mail.stalker.com>
#############################################################

This message is sent to you because you are subscribed to

  the mailing list <CGatePro@mail.stalker.com>.

To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>

To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>

To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>

Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster