[opensuse-security] antivir 3.1.3.4 question
I have been using antivir with amavisd-new for years. Late last year, updates were having a hard time, so I updated it to version 3, and after some work got it running ok (though it required avguard daemon running). Lately, it has been failing to update, though I found updating via product=Scanner would work. Figuring I may need to update soon, I downloaded the latest, 3.1.3.4. After some work, I think I have it working, but have one question. Unlike previous versions, it appears to me that only root can now scan, meaning a user and amavis now fail unless I set the scanning file, avscan, suid. I am not that comfortable setting a program SUID that would be interacting with possible viruses, and is not the default permissions. How bad is it to run this SUID? Does anyone else have any better understanding of the latest antivir? I believe the below will illustrate my point and findings so far. jmorris:/home/joe # cd /usr/lib/AntiVir/guard/ jmorris:/usr/lib/AntiVir/guard # chmod 755 avscan jmorris:/usr/lib/AntiVir/guard # ls -l avscan -rwxr-xr-x 1 root vscan 2182456 2010-03-26 09:04 avscan jmorris:/usr/lib/AntiVir/guard # avscan --allfiles Avira AntiVir Personal (ondemand scanner) Copyright (C) 2010 by Avira GmbH. All rights reserved. SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.1.204 VDF-Version: 7.10.5.241 created 20100326 AntiVir license: 0000149996 Info: automatically excluding /sys/ from scan (special fs) Info: automatically excluding /proc/ from scan (special fs) Info: automatically excluding /var/spool/amavis/virusmails/ from scan (quarantine) scan progress: directory "/usr/lib/AntiVir/guard/" scan progress: symbolic link "/usr/lib/AntiVir/guard/libdazuko.so" points to an earmarked file (skipped) ------ scan results ------ directories: 1 scanned files: 97 skipped: 3 alerts: 0 suspicious: 0 scan time: 00:00:01 -------------------------- jmorris:/usr/lib/AntiVir/guard # rcavguard stop Stopping AVIRA AntiVir Workstation Personal ... Stopping: avguard.bin done jmorris:/usr/lib/AntiVir/guard # avscan --allfiles Error: Failed to connect to Guard daemon You need to start avguard before using on-demand scans. You need root-access to do that. jmorris:/usr/lib/AntiVir/guard # rcavguard start Starting AVIRA AntiVir Workstation Personal ... Starting: avguard.bin done jmorris:/usr/lib/AntiVir/guard # exit exit joe@jmorris:~> avscan --allfiles Warning: quarantine directory /var/spool/amavis/virusmails/ not accessible Error: Failed to connect to Guard daemon joe@jmorris:~> su Password: jmorris:/home/joe # cd /usr/lib/AntiVir/guard/ jmorris:/usr/lib/AntiVir/guard # chmod 4755 avscan jmorris:/usr/lib/AntiVir/guard # exit exit joe@jmorris:~> avscan --allfiles Warning: quarantine directory /var/spool/amavis/virusmails/ not accessible Avira AntiVir Personal (ondemand scanner) Copyright (C) 2010 by Avira GmbH. All rights reserved. SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.1.204 VDF-Version: 7.10.5.241 created 20100326 AntiVir license: 0000149996 Info: automatically excluding /sys/ from scan (special fs) Info: automatically excluding /proc/ from scan (special fs) Info: automatically excluding /var/lib/ntp/proc/ from scan (special fs) Info: automatically excluding /var/spool/amavis/virusmails/ from scan (quarantine) scan progress: directory "/home/joe/" scan progress: symbolic link "/home/joe/.DCOPserver_jmorris_:0" points to an earmarked file (skipped) scan progress: inaccessible file "/home/joe/.gvfs" was skipped ------ scan results ------ directories: 1 scanned files: 42 skipped: 76 alerts: 0 suspicious: 0 scan time: 00:00:01 -------------------------- joe@jmorris:~> example from mail log: Mar 27 17:16:00 jmorris amavis[3856]: (03856-02) (!)run_av (Avira AntiVir) FAILED - unexpected exit 251, output="Error: Failed to connect to Guard daemon" Mar 27 17:16:00 jmorris amavis[3856]: (03856-02) (!)Avira AntiVir av-scanner FAILED: /usr/bin/avscan unexpected exit 251, output="Error: Failed to connect to Guard daemon" at (eval 111) line 594. -- Joe Morris Registered Linux user 231871 running openSUSE 11.1 x86_64 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2010-03-27 at 22:49 -0500, Joe Morris wrote:
I have been using antivir with amavisd-new for years. Late last year, updates were having a hard time, so I updated it to version 3, and after some work got it running ok (though it required avguard daemon running). Lately, it has been failing to update, though I found updating via product=Scanner would work. Figuring I may need to update soon, I downloaded the latest, 3.1.3.4.
I'm still using an old version: nimrodel:~ # antivir AntiVir / Linux Version 2.1.12-261 Copyright (c) 2008 by Avira GmbH. All rights reserved. VDF version: 7.10.5.116 created 17 Mar 2010 For private, non-commercial use only. AntiVir license: ****** for Avira AntiVir PersonalEdition Classic I don't update it often, but it does work - see, I just did: nimrodel:~ # antivir AntiVir / Linux Version 2.1.12-263 Copyright (c) 2008 by Avira GmbH. All rights reserved. VDF version: 7.10.5.241 created 26 Mar 2010 I did have problems around last november, I asked here and the recomendation (Sandy) was to update: ] Subject: Re: [opensuse-security] Has something happened to Avira GmbH? I can't update "antivir". http://lists.opensuse.org/opensuse-security/2009-11/msg00008.html Notice that the question about the dazuko kernel module did pop-up, but Sandy said that it is not needed. The daemon has to be loaded for use with amavis-new, and it prints a warning "that on-access scanning is not available", which is not a problem for mail scanning. But as I said, I have not updated version. I have it working, my needs are very limited, so I avoided some hasles installing something else O:-) Notice that oS 11.2 brings version 2.1.10-15, older than the above, and it fails to update complaining of "expired key". Perhaps it needs the file /usr/lib/AntiVir/personaledition_classic.key... no, it is something else. Ah, it is the "hbedv.key" key itself, it needs your own registered key, even if it is old. They have disabled the key openSUSE uses because of excess traffic (so says the message). Funny understanding of "free use". Further info: it needs both hbedv.key and personaledition_classic.key. If the second is missing, it complains that no updates "in DEMO mode". (I record this here in case it is of use for somebody else - you use a different version)
After some work, I think I have it working, but have one question. Unlike previous versions, it appears to me that only root can now scan, meaning a user and amavis now fail unless I set the scanning file, avscan, suid. I am not that comfortable setting a program SUID that would be interacting with possible viruses,
That would worry me a bit. Not because of possible interaction with viruses (unlike biological viruses, with computer viruses there is no danger with touching (reading) them, only with running them), but because any app running as root, and a closed source one at that, is a danger. But as I don't use your version, I don't have specific help, sorry. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkuvVkcACgkQtTMYHG2NR9XtKwCdEsmNU0UycxWs+yuThPcARoSd KygAn0Rfu85/KnDgzM0nvOtsDgKp7Qqk =jY9C -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Carlos E. R.
-
Joe Morris