Since the AV feature is still relatively new, I'll start by saying that FSAV for Linux is version 4 vs version 5 on Windows, and that the interface between LISTSERV and FSAV is completely different. So, any problems you encounter on Linux are likely to be very different from the problems encountered on Windows, and vice-versa. Another major difference is that you have to be very careful about file permissions and paths with the Linux version (remember that LISTSERV is not root). Finally, there is only one scanning engine on Linux vs three on Windows, so I assume that there will now and then be a virus that goes through on Linux but is blocked on Windows. I am not saying this is the explanation here, this is merely a general introductory comment for the record.
> 1. Sometimes, but not often, the web interface has the F-Secure icon on
> the bottom banner, but often or most of the time it does not.
This probably means that LISTSERV did not correctly detect F-Secure at startup. Send a RELEASE command when the icon is missing to see if F-Secure is mentioned. Note that you will need to restart LISTSERV after fixing the condition that prevented F-Secure from being detected - LISTSERV will only look once at startup, because it is an expensive process.
LISTSERV looks for FSAV by issuing the command "command fsav --version" and examining the result. If for any reasons this command fails, or does not return the expected result, anti-virus support will be disabled. It could be that the output varies in a way that was not foreseen.
> 2. I'm pretty sure that viruses are sometimes getting through and
> sometimes being stopped.
This would make sense if LISTSERV sometimes thinks FSAV is not installed.
> 3. I added AVFILTER=1 and ANTI_VIRUS="YES" to go.user and now I
> *always* see the F-Secure icon on the web interface bottom banner. I
> don't think this affected point #2.
I assume you mean ANTI_VIRUS=1. This forces LISTSERV to assume that FSAV is present. Although it will bypass the initial check, AV support can still fail if, for instance, the executables are not in the path. The main purpose of the ANTI_VIRUS option is to disable AV support on a system where FSAV is installed.
If you have a condition where, for any reasons, the 'fsav' command fails now and then, you will inevitably have some files getting through without being scanned. Unless the FORCE option is used (this is available for DISTRIBUTE jobs only), a failure in the AV scanner lets the message through. Bear in mind that AV scanners use heuristics and that some heuristics have a built-in timeout system, because they can potentially go on for a very long time. Sometimes the AV scanner just gives up. There is a risk that the file does contain a virus, but with heuristics scanning this risk always exist. At least there is not a virus matching a known signature.
Anyway, I suspect that the 'fsav' command fails now and then for some unknown reason. I suggest writing a process that runs it every 5 seconds or so and appends the output to a file which you can examine daily.
> I have an idea that the problem was related to installing FSAV & 1.8e just
> days before our maintenance key expired (it seemed to work perfectly until
> the key expired. Once we entered the new (valid) key, this "intermittent
> thing" seems to be happening.
The key will disable AV support when it expires, and this cannot be overridden. It is such a clear yes-or-no effect that I doubt it has any bearings on problem #2. On the other hand, the database could have been updated at about the same time with some new heuristics or other than can occasionally cause an error in the 'fsav' command. I am only speculating, but many changes in AV behaviour are due to changes in the AV database.
Eric
|
