Mailing List Archive

Avast and invalid response from scanner
Hi list!

I see very often this message in exim paniclog:

malware acl condition: avast /var/run/avast/scan.sock : invalid
response from scanner: 'SCAN
/var/spool/exim4/scan/1ew39J-0002Qa-4m/1ew39J-0002Qa-4m-00004|>somefile
[E]1.0 Error 42110 The\ file\ is\ a\ decompression\ bomb'

It seems that I cannot disable this warning in Avast and I didn't
found any option in Exim to disable it.
Can someone help me?

Thanks
Luca Bertoncello
(lucabert@lucabert.de)


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Avast and invalid response from scanner [ In reply to ]
Luca Bertoncello via Exim-users <exim-users@exim.org> (Mi 14 Mär 2018 11:03:19 CET):
> Hi list!
>
> I see very often this message in exim paniclog:
>
> malware acl condition: avast /var/run/avast/scan.sock : invalid response
> from scanner: 'SCAN
> /var/spool/exim4/scan/1ew39J-0002Qa-4m/1ew39J-0002Qa-4m-00004|>somefile
> [E]1.0 Error 42110 The\ file\ is\ a\ decompression\ bomb'

This should result in a defer.

> It seems that I cannot disable this warning in Avast and I didn't found any
> option in Exim to disable it.
> Can someone help me?

The current implementation is quite simple and can't deal well with the
multiline responses from avast.

But … even with my fix (which gives Exim compatibility with the
Avast multiline protocol) the message would make it to your logs.

Currently I'm not decided yet how to handle such errors from Avast. As
it doesn't seem to be an operational error (like permission denied, …)

If Exim sees an error from the Avast scanner, it defers the message.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
--
SCHLITTERMANN.de ---------------------------- internet & unix support -
Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
gnupg encrypted messages are welcome --------------- key ID: F69376CE -
! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -
Re: Avast and invalid response from scanner [ In reply to ]
Zitat von Heiko Schlittermann via Exim-users <exim-users@exim.org>:

Hello Heiko

> This should result in a defer.

I added /defer_ok to solve this problem, but of course the paniclog
will always receive these errors...

>> It seems that I cannot disable this warning in Avast and I didn't found any
>> option in Exim to disable it.
>> Can someone help me?
>
> The current implementation is quite simple and can't deal well with the
> multiline responses from avast.
>
> But … even with my fix (which gives Exim compatibility with the
> Avast multiline protocol) the message would make it to your logs.
>
> Currently I'm not decided yet how to handle such errors from Avast. As
> it doesn't seem to be an operational error (like permission denied, …)

I solved my problem by just configure the E4BCD_PANICLOG_NOISE
variable in /etc/cron.daily/exim4-base so that these errors will not
be reported anymore.
Ugly solution, but a solution...

Regards
Luca Bertoncello
(lucabert@lucabert.de)


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Avast and invalid response from scanner [ In reply to ]
Luca Bertoncello via Exim-users <exim-users@exim.org> (Mi 14 Mär 2018 15:11:04 CET):
> I added /defer_ok to solve this problem, but of course the paniclog will
> always receive these errors...

I'm not sure, if defer_ok is the right way, except you agree with
getting messages with zip bombs (in your case)

As it is not very clear to me, which conditions lead to an error
reported by Avast, I decided to interpret Avast errors as "please, try
later, I ran into a problem".

I'll rethink, if this messages need to go to the panic log, as it's no
panic at all.

@JGH: What do you think? If the scanner enging returns an error, I'd
tend to see this as a normal "defer", not as a reason to log this as a
panic condition, as Exim is still operational.

--
Heiko
Re: Avast and invalid response from scanner [ In reply to ]
Heiko Schlittermann via Exim-users <exim-users@exim.org> schrieb:

> I'm not sure, if defer_ok is the right way, except you agree with
> getting messages with zip bombs (in your case)

Since we have 2 other Antivirus, I think, this is OK... ;)

Regards
Luca Bertoncello
(lucabert@lucabert.de)
Re: Avast and invalid response from scanner [ In reply to ]
On 14/03/18 16:30, Heiko Schlittermann via Exim-users wrote:
> Luca Bertoncello via Exim-users <exim-users@exim.org> (Mi 14 M?r 2018 15:11:04 CET):
>> I added /defer_ok to solve this problem, but of course the paniclog will
>> always receive these errors...
>
> I'm not sure, if defer_ok is the right way, except you agree with
> getting messages with zip bombs (in your case)
>
> As it is not very clear to me, which conditions lead to an error
> reported by Avast, I decided to interpret Avast errors as "please, try
> later, I ran into a problem".
>
> I'll rethink, if this messages need to go to the panic log, as it's no
> panic at all.
>
> @JGH: What do you think? If the scanner enging returns an error, I'd
> tend to see this as a normal "defer", not as a reason to log this as a
> panic condition, as Exim is still operational.

In general I'd say yes; defer.

But specifically for this error, it will repeat every time (the content
won't change, so Avast will still say "I'm not prepared to deal with
this) - so we'll take temp-errors until the source times out.
This could be regarded as suboptimal, even though not incorrect.

If we can identify the specific problem from the Avast prototcol
I'd suggest a hard-error result would be preferable. But only if.
--
Cheers,
Jeremy


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/