I have been using antivir with amavisd-new for years. Late last year,
updates were having a hard time, so I updated it to version 3, and after
some work got it running ok (though it required avguard daemon
running). Lately, it has been failing to update, though I found
updating via product=Scanner would work. Figuring I may need to update
soon, I downloaded the latest, 3.1.3.4. After some work, I think I have
it working, but have one question. Unlike previous versions, it appears
to me that only root can now scan, meaning a user and amavis now fail
unless I set the scanning file, avscan, suid. I am not that comfortable
setting a program SUID that would be interacting with possible viruses,
and is not the default permissions. How bad is it to run this SUID?
Does anyone else have any better understanding of the latest antivir? I
believe the below will illustrate my point and findings so far.
jmorris:/home/joe # cd /usr/lib/AntiVir/guard/
jmorris:/usr/lib/AntiVir/guard # chmod 755 avscan
jmorris:/usr/lib/AntiVir/guard # ls -l avscan
-rwxr-xr-x 1 root vscan 2182456 2010-03-26 09:04 avscan
jmorris:/usr/lib/AntiVir/guard # avscan --allfiles
Avira AntiVir Personal (ondemand scanner)
Copyright (C) 2010 by Avira GmbH.
All rights reserved.
SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.1.204
VDF-Version: 7.10.5.241 created 20100326
AntiVir license: 0000149996
Info: automatically excluding /sys/ from scan (special fs)
Info: automatically excluding /proc/ from scan (special fs)
Info: automatically excluding /var/spool/amavis/virusmails/ from scan
(quarantine)
scan progress: directory
"/usr/lib/AntiVir/guard/"
scan progress: symbolic link "/usr/lib/AntiVir/guard/libdazuko.so"
points to an earmarked file
(skipped)
------ scan results ------
directories: 1
scanned files: 97
skipped: 3
alerts: 0
suspicious: 0
scan time: 00:00:01
--------------------------
jmorris:/usr/lib/AntiVir/guard # rcavguard stop
Stopping AVIRA AntiVir Workstation Personal ...
Stopping: avguard.bin
done
jmorris:/usr/lib/AntiVir/guard # avscan --allfiles
Error: Failed to connect to Guard daemon
You need to start avguard before using on-demand scans.
You need root-access to do that.
jmorris:/usr/lib/AntiVir/guard # rcavguard start
Starting AVIRA AntiVir Workstation Personal ...
Starting: avguard.bin
done
jmorris:/usr/lib/AntiVir/guard # exit
exit
joe@jmorris:~> avscan --allfiles
Warning: quarantine directory /var/spool/amavis/virusmails/ not accessible
Error: Failed to connect to Guard daemon
joe@jmorris:~> su
Password:
jmorris:/home/joe # cd /usr/lib/AntiVir/guard/
jmorris:/usr/lib/AntiVir/guard # chmod 4755 avscan
jmorris:/usr/lib/AntiVir/guard # exit
exit
joe@jmorris:~> avscan --allfiles
Warning: quarantine directory /var/spool/amavis/virusmails/ not accessible
Avira AntiVir Personal (ondemand scanner)
Copyright (C) 2010 by Avira GmbH.
All rights reserved.
SAVAPI-Version: 3.1.1.8, AVE-Version: 8.2.1.204
VDF-Version: 7.10.5.241 created 20100326
AntiVir license: 0000149996
Info: automatically excluding /sys/ from scan (special fs)
Info: automatically excluding /proc/ from scan (special fs)
Info: automatically excluding /var/lib/ntp/proc/ from scan (special fs)
Info: automatically excluding /var/spool/amavis/virusmails/ from scan
(quarantine)
scan progress: directory "/home/joe/"
scan progress: symbolic link "/home/joe/.DCOPserver_jmorris_:0" points
to an earmarked file (skipped)
scan progress: inaccessible file "/home/joe/.gvfs" was skipped
------ scan results ------
directories: 1
scanned files: 42
skipped: 76
alerts: 0
suspicious: 0
scan time: 00:00:01
--------------------------
joe@jmorris:~>
example from mail log:
Mar 27 17:16:00 jmorris amavis[3856]: (03856-02) (!)run_av (Avira
AntiVir) FAILED - unexpected exit 251, output="Error: Failed to connect
to Guard daemon"
Mar 27 17:16:00 jmorris amavis[3856]: (03856-02) (!)Avira AntiVir
av-scanner FAILED: /usr/bin/avscan unexpected exit 251, output="Error:
Failed to connect to Guard daemon" at (eval 111) line 594.
--
Joe Morris
Registered Linux user 231871 running openSUSE 11.1 x86_64
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org