failure of all virus scanners

Ralf Hildebrandt Ralf.Hildebrandt at charite.de
Fri Jun 17 15:05:04 CEST 2011


* Mark Martinec <Mark.Martinec+amavis at ijs.si>:
> Ralf,
> 
> > > > I want to catch the case of a virus pattern update gone wrong -- right
> > > > now all the mails pass unchecked, I'd rather tempfail them.
> > >   $virus_scanners_failure_is_fatal = 1;
> 
> > Yes, killing all virus scanners causes a tempfail now, wonderful.
> > 
> > But does this patch indeed differenciate between "unscannable content"
> > and "couldn't scan at all"? Sorry, my perl fu is not strong :)
> 
> It reverts to the previous behaviour when the setting is true:
> if virus scanning is enabled (i.e. at least one scanner is present) and
> all scanners fail without providing a definite yes/no answer, then
> a 4xx tempfail happens.
> 
> How each virus scanner reacts to "unscannable content" depend on
> each scanner. Amavis catches fatal errors (process/socket failures,
> timeouts, crashes), and compares the result against the 4th and 5th
> field in each @av_scanners entry. If no match is found (neither infected
> nor clean), then this scanner is considered to have failed.
> With some scanners it is possible to list "unscannable content"
> status codes as 'success' codes, i.e. in the 4th field.
> 
> So to answer your question on a differenciate between "unscannable content" 
> and "couldn't scan at all": it's all up to each av scanner entry and how
> the 4th and 5th fields are defined in its entry.

:)

In the end it turned out the avira would choke on a bounce containing
a (truncated!) spam message - the original (spam)mail was truncated after
2048 bytes.

This caused avira to go into an infinite loop, so one thread was
hogging the CPU each time the mail entered the system.

Unfortunately the admin made an error and sent me the defer/queueid
file instead of the deferred/queueid from the upstream host :(

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebrandt at charite.de | http://www.charite.de
	    


More information about the amavis-users mailing list