Mcafee 8.0 and MTA won't work

[zeusdk]

Hi all

I have already set up F-prot, ClamWin and eTrust so I know how the MTA and the AV-scanners are working

But I simply cannot get Mcafee 8.0 to return any code that the MTA will respond on and delete the virus file. I have tried all the options, but the "test settings"-function keeps on saying that the settings are not working. Therefore, I have just set it up to delete the file, when the virus is found:

Code: Select all

C:\Program Files\Network Associates\VirusScan\csscan.exe 

"[AGENT]" /target "[FILENAME]" /analyse /multiext /allapps /unzip /archive /mime /primary delete

Nevertheless, I would very much like to have the MTA doing the deleting. Can somebody help me?

[MailEnable]

Place the eicar file in a directory on your machine and then use the McAfee cmd line scanner configured with the options to delete the file (from the windows command prompt).

Once you get this working, then try similar params to the scanner (as you probably have already done).

Then run the MTA in debug mode (see kb search for debug mode) and then you should see where any issues are occuring when sending through the eicar test virus.

[MartynK]

I do not use that scanner, I use "Scan.exe" which is in the directory

"C:\Program Files\Common Files\Network Associates\Engine"

And this seems to do the trick.

[zeusdk]

Hi MartynK and Mail Enable

Here are the standard settings:

Code: Select all

C:\Program Files\McAfee\scan.exe

"[AGENT]" "[FILENAME]" /ALL /ANALYSE /NOBOOT /NOMEM /UNZIP /SILENT

Which are different from the settings I have to use in order to get anything deleted:

Code: Select all

C:\Program Files\Network Associates\VirusScan\csscan.exe

"[AGENT]" /target "[FILENAME]" /analyse /multiext /allapps /unzip /archive /mime /primary delete

I know that one is not to let the virus scanner do the deleting "on the scene", but instead let it return a code, which the MTA respond on (and do the deleting). But in order to delete any virus files (because the scanner isn't returning any codes other than "0"), I have inserted the "/primary delete" parameter.

The different parameters in Mcafee Enterprise 8.0i are:

Code: Select all

C:\Program Files\Network Associates\VirusScan>csscan

Required switches
=================

    /TARGET  <target>               object to scan

      target can be
            a file or directory name        : scan file or directory
            MEMORY                          : scan memory
            A, B etc.                       : scan a bootsector
            0, 1 etc.                       : scan an MBR

            EXTLIST                         : don't scan anything. Print extension lists from DATS.
            VIRLIST                         : don't scan anything. Print viruslist including application catagories.
            APPLIST                         : don't scan anything. Print list of only application detections


Optional switches  (Misc)
=========================

    /?  /HELP              Show this text.
    /ENGDATS <dir>         Directory to find engine & DATS      (default : read location from registry)
    /PID <productid>       Product ID to pass to engine         (default : 12013
)


Optional switches  (Detection)
==============================

    /JUSTLISTSTREAMS       No scanning,  just print names of streams that file contains.

    /MANALYSE              Turn on macro heuristics             (default : OFF)
    /PANALYSE              Turn on program heuristics           (default : OFF)
    /ANALYSE               Turn on both heuristics              (default : OFF)

    /MULTIEXT              Turn on multiple extension heuristic (default : OFF)

    /SERVER                Turn on the server switch            (default : OFF)

    /DEFAULTFILES          Scan extensions from the DATS        (default : scan all files)

    /SPYWARE               Detect spyware                       (default : OFF)
    /ADWARE                Detect adware                        (default : OFF)
    /REMADMIN              Detect remote administration tools   (default : OFF)
    /DIALERS               Detect dialers                       (default : OFF)
    /PWCRACK               Detect password crackers             (default : OFF)
    /JOKES                 Detect jokes                         (default : OFF)
    /PUA                   Detect potentially unwanted apps     (default : OFF)

    /ALLAPPS               All the spyware, adware, etc.        (default : OFF)
    /NEXCLUDE <name,name>  Exclude virusnames from detection    (default : None)

    /DETECT   <name,name>  Treat filenames as detections        (default : None)

                           "detected as" will be the filename

    /APPLYNVP              Apply Non-Virus Policy.              (default : OFF)
                           This can be used to read the NVP policy from the registry
                           instead of specifing /SPYWARE etc, /NEXCLUDE and /DET ECT


    /UNZIP                 Scan in archives                     (default : OFF)
    /ARCHIVE               Scan in archives                     (default : OFF)
    /NOUNPACK              Don't scan in compressed files       (default : Scan compressed files)
    /MIME                  Scan in mime files                   (default : OFF)

    /SUB                   Scan in subdirectories               (default : OFF)

    /SECURE                /ANALYSE /UNZIP /ALLAPPS /SUB

Optional switches  (Actions)
============================


    /PRIMARY      <action> Sets the primary action for viruses  (default : CONTINUE)
    /SECONDARY    <action> Sets the primary action for viruses  (default : CONTINUE)
    /PRIMARYAPP   <action> Sets the primary action for apps     (default : CONTINUE)
    /SECONDARYAPP <action> Sets the primary action for apps     (default : CONTINUE)

        <Action> can be CONTINUE
                        CLEAN       (not for secondary)
                        DELETE
                        MOVE
                        PROMPT      (for testing,  see the /PROMPT switch)

    /PROMPT  <string>      Sets the order in which the
                           prompt code will return actions      (default : "")

        Actions are C=Clean, D=Delete, M=Move.

        When end of the end of the string or an unrecognised character is reached then continue will be returned
        So to simulate a user pressing Clean then, if necessary, Move then Continue do

        /ACTION PROMPT /PROMPT CM


    /MOVEDIR <dir>         Sets the move directory              (default : none)



    /CLEAN                 Shortcut for /PRIMARY CLEAN  /SECONDARY CONTINUE /PRIMARYAPP CLEAN  /SECONDARYAPP CONTINUE
    /DELETE                Shortcut for /PRIMARY DELETE /SECONDARY CONTINUE /PRIMARYAPP DELETE /SECONDARYAPP CONTINUE
    /MOVE                  Shortcut for /PRIMARY MOVE   /SECONDARY CONTINUE /PRIMARYAPP MOVE   /SECONDARYAPP CONTINUE
            (Still need to do /MOVEDIR)


Optional switches  (Output)
===========================

    /LOG <filename>        Name of file to log to               (default : no logging)
    /LOUD                  Show all scan results                (default : OFF)
    /QUIET                 No progress display                  (default : OFF)

    /ALERT                 Alert to ePO and AM                  (default : OFF)
    /EPODIR <dir>          For testing : Force creation of
                           event files to specified directory
                           even if ePO agent isn't installed    (default : none)



    /TIMES <filename>      Log of time to scan each file/dir    (default : none)

C:\Program Files\Network Associates\VirusScan>

I have no folder called "Engine". Take a look:

Code: Select all

C:\Program Files\Network Associates\VirusScan>dir *.
 Volume in drive C has no label.
 Volume Serial Number is 6408-4AB4

 Directory of C:\Program Files\Network Associates\VirusScan

24-05-2005  08:30    <DIR>          .
24-05-2005  08:30    <DIR>          ..
24-05-2005  08:29    <DIR>          MID
24-05-2005  08:30    <DIR>          RepairCache
24-05-2005  08:29    <DIR>          Res09
               0 File(s)              0 bytes
               5 Dir(s)  118.897.074.176 bytes free

C:\Program Files\Network Associates\VirusScan>

I just downloaded: "McAfee VirusScan Enterprise 8.0i" at:

Code: Select all

http://www.mcafeesecurity.com/us/downloads/evals/

The MTA is saying the following when I use:

Code: Select all

"[AGENT]" /target "[FILENAME]" /analyse /multiext /allapps /unzip /archive /mime

Debug:

Code: Select all

C:\Program Files\Mail Enable\bin>memta -debug
Debugging MailEnable Mail Transfer Agent.
****************************************************************************
*                                                                          *
* MailEnable Mail Transfer Agent (Version 1.0.02)                          *
* Copyright (C) Andrew Sproul, Peter Fregon 2001-2004.                     *
*                                                                          *
****************************************************************************

Loaded 5 Filters
Bayesian Filter Loading Library..
Bayesian Filter - Loading Dictionary..
Bayesian Filter - Loading Complete.
Loading Dictionary...

Dictionary Load Status:
Time Taken: 156 milliseconds
Dictionary Size: 31666 tokens

Dictionary Loaded.
Antivirus Loading Library..
05/24/05 09:31:36 Loaded Plug-In Filter [MTAFILTER]
Reading settings for: LS
Reading settings for: POP
Reading settings for: SF
Reading settings for: SMTP
 Service Starting
 Service Loading Agents
 Cleaning Inbound Directory for List Server Connector
 Resetting Inbound Messages for List Server Connector
 No outgoing message files in queue!
 Cleaning Inbound Directory for POP Connector
 Initalised MTA Connector Collector Thread for List Server Connector
 Resetting Inbound Messages for POP Connector
 No outgoing message files in queue!
 Cleaning Inbound Directory for SF Connector
 Resetting Inbound Messages for SF Connector
 No outgoing message files in queue!
 Cleaning Inbound Directory for SMTP Connector
 Resetting Inbound Messages for SMTP Connector
 Initalised MTA Connector Collector Thread for POP Connector
 Initalised MTA Connector Collector Thread for SF Connector
 No outgoing message files in queue!
 Initalised MTA Connector Collector Thread for SMTP Connector
 Processing file EA4303918BFB470D97DEF0AA5DCEE1.MAI from queue SMTP
05/24/05 09:31:59 [EA4303918BFB470D97DEF0AA5DCEE1.MAI] from (SMTP) [SMTP:xxxxx@xx
xxxx.xxx]->[SF:xxxxx.xxx/xxxx] Mapped Literal
Allocating 5 Results
Processing Message...
Message Size detected as 1858
Attachment (1) Found - Processing
Attachment Processing Completed
Attachment (2) Found - Processing
Attachment Processing Completed
Attachment (3) Found - Processing
Attachment Processing Completed
CommonShell Command Line Scanner
Engine Version : 4400
DAT    Version : 4497

Summary :-
        FilesFound       :        1
        FilesScanned     :        1
        FilesNotScanned  :        0

        ObjectsFound     :        1
        ObjectsInfected  :        0
        ObjectsCleaned   :        0

        FilesInfected    :        0
        FilesCleaned     :        0
        FilesMoved       :        0
        FilesDeleted     :        0

Started at : 09:32:03 24. maj 2005
Ended at   : 09:32:04 24. maj 2005
Duration   : 0 minutes 0 seconds
Returned 0
CommonShell Command Line Scanner
Engine Version : 4400
DAT    Version : 4497
C:\PROGRA~1\MAILEN~1\Scratch\EA4303~1.MAI\2.ATT : contains "Test" called "EICAR
test file"  (No Action Taken )
C:\PROGRA~1\MAILEN~1\Scratch\EA4303~1.MAI\2.ATT : No action taken

Summary :-
        FilesFound       :        1
        FilesScanned     :        1
        FilesNotScanned  :        0

        ObjectsFound     :        1
        ObjectsInfected  :        1
        ObjectsCleaned   :        0

        FilesInfected    :        1
        FilesCleaned     :        0
        FilesMoved       :        0
        FilesDeleted     :        0

Started at : 09:32:04 24. maj 2005
Ended at   : 09:32:04 24. maj 2005
Duration   : 0 minutes 0 seconds
Returned 0
Processing Message Content...
From Found:From: "TESTVIRUS.org" <tester@testvirus.org>

To Found:To: <xxxxxx@xxxxxxxx>

Processing Recipient List of 1 delimiters
Mime Encapsulatation detected
Attachment Found:Content-Type: application/octet-stream; name="eicar.com"

Skipping encoded attachment
Attachment Found:Content-Disposition: attachment; filename="eicar.com"

ProcessFilter:
Releasing 5 Results
 ME-MTA-ROUTE [EA4303918BFB470D97DEF0AA5DCEE1.MAI] from [SMTP] Connector queued
to [SF] Connector as [7BD97C4C4F3548DCA5E7529B1B4239.MAI]

[zeusdk]

It just keep on returning "0" even though it has found a virus:

Se to two return-phrases (one with a virus and the other one with no virus - still 0 is returned both places):

Code: Select all

C:\PROGRA~1\MAILEN~1\Scratch\8939F9~1.MAI\2.ATT : contains "Test" called "EICAR
test file"  (No Action Taken )
C:\PROGRA~1\MAILEN~1\Scratch\8939F9~1.MAI\2.ATT : No action taken

Summary :-
        FilesFound       :        1
        FilesScanned     :        1
        FilesNotScanned  :        0

        ObjectsFound     :        1
        ObjectsInfected  :        1
        ObjectsCleaned   :        0

        FilesInfected    :        1
        FilesCleaned     :        0
        FilesMoved       :        0
        FilesDeleted     :        0

Started at : 10:52:43 24. maj 2005
Ended at   : 10:52:43 24. maj 2005
Duration   : 0 minutes 0 seconds
Returned 0
CommonShell Command Line Scanner
Engine Version : 4400
DAT    Version : 4497
No files found in target directory C:\PROGRA~1\MAILEN~1\Scratch\8939F9~1.MAI\3.A
TT\

Summary :-
        FilesFound       :        0
        FilesScanned     :        0
        FilesNotScanned  :        0

        ObjectsFound     :        0
        ObjectsInfected  :        0
        ObjectsCleaned   :        0

        FilesInfected    :        0
        FilesCleaned     :        0
        FilesMoved       :        0
        FilesDeleted     :        0

Started at : 10:52:44 24. maj 2005
Ended at   : 10:52:44 24. maj 2005
Duration   : 0 minutes 0 seconds
Returned 0
Processing Message Content...
Mime Encapsulatation detected
From Found:From: "TESTVIRUS.org" <tester@testvirus.org

[MartynK]

Is this using the "Scan.exe" program as I specified ?

[zeusdk]

No, it is using:

Code: Select all

C:\Program Files\Network Associates\VirusScan\csscan.exe

There is no scan.exe-file.

[MartynK]

Have you got the "Common files" folder like I said in the previous post.

If you have not then we are using differect versions of the software and you will not be able to get it to work. I had the same problems as you until I found scan.exe, and it solved everything.

[zeusdk]

I have no "Common files"-folder or the like, but I have found scan.exe!

It is actually not a part of Mcafee 8.0i Enterprise, but it is a part of Mcafee Command Line Scanners 4.40, which is downloaded separately at: http://www.mcafeesecurity.com/us/downloads/evals/

Very well, now I have the right scanner, but how do we get this old dos version to update it’s anti-virus files? What did you do?

[MartynK]

Well it is part of my McAfee 8.0i Enterprise as that is all I have installed on my machine. I know you can get is as part of the command line scanners, but mine was installed with 8.0i Ent.

The command line scanners you refer to, I do not think are the ones to use..

I just use the standard McAfee Ent update routines that updates for everything that is installed on my machine, bit the command line and real-time scanners.

[zeusdk]

Did you download it from?

http://www.mcafeesecurity.com/us/downloads/evals/

[MartynK]

No I downloaded it after paying for it from their secure site.

As far as I know, that is the only way you can get it.

[zeusdk]

I just downloaded it from the given url. The trail is lasting for 90 days!

I will look into the difference with the trail and the real version.

[WimVM]

Did you solve this issue? I also don't have a scan.exe only scan32 and csscan. None of them seems to work with MailEnable.

[crnunez]

Have someone any solution for this issue?

Thanks!