Using F-Secure Linux Security with fedora & amavis

gossamer
gossamer W/ Alumni Posts: 2 Security Scout

Hi,

I'm trying to implement F-Secure Linux Security version 11.x with amavisd-new on fedora. I've read that it doesn't work very well with amavisd-new, but that's what we've implemented on the servers in our organization, so I'd like to try.

 

I've tried using the following:

 

['F-Secure Antivirus for Linux servers',
['/opt/f-secure/fssp/bin/fsav', 'fsav'],
'--virus-action1=report --archive=yes --auto=yes '.
'--usedaemon --socketname=/tmp/.fsav-0-fsav --dumb=yes --list=no --mime=yes {}', [0], [3,4,6,8],
qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],

 

Running that same command-line manually results in:

 

# /opt/f-secure/fssp/bin/fsav --virus-action1=report --archive=yes --auto=yes --usedaemon --dumb=yes --list=no --mime=yes --socketname=/tmp/.fsav-0-fsav /root/macro-virus

EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS.
To purchase license, please check http://www.F-Secure.com/purchase/

F-Secure Anti-Virus CLI version 1.0 build 0060

Connect to fsavd failed: Connection to fsavd failed.

I've also tried without the socketname and usedaemon options and it produces the following error:

 

Aug 30 03:29:50 alex amavis[733]: (00733-01) (!)run_av (F-Secure Antivirus) FAILED - unexpected exit 1, output="Something wrong in initializing backend. Code:256\nFATAL: Failed to get configuration"
Aug 30 03:29:50 alex amavis[733]: (00733-01) (!)F-Secure Antivirus av-scanner FAILED: /opt/f-secure/fssp/bin/fsav unexpected exit 1, output="Something wrong in initializing backend. Code:256\nFATAL: Failed to get configuration" at (eval 87) line 905.

There are also the following errors in /var/opt/f-secure/fsav/fsoasd.log:

 

1472664157 | ERROR | 0xf7241b40 | fsoasd/AvJudge.c:0334 | Allowing access on error: '/var/spool/postfix/incoming/7FB5522120'
1472664685 | ERROR | 0xf709bb40 | fsoasd/AvJudge.c:1210 | Session to secondary scanner at /tmp/fsav-postfix/fsavd failed
1472664685 | ERROR | 0xf709bb40 | fsoasd/AvJudge.c:0794 | Error in scanning file '/var/spool/postfix/incoming/4838025B6A': Could not open the file

Any ideas greatly appreciated. I don't fully understand how it should be implemented.

Thanks,

Alex

 

 

 

 

Comments

  • gossamer
    gossamer W/ Alumni Posts: 2 Security Scout

    Hi, I posted this question a few days ago and no one has responded. Is there no one that can help?

     

    Is there a more appropriate forum I should post my question?

  • adammo
    adammo W/ Alumni Posts: 4 Security Scout

    From the given information, it seems that the connection to the scanner daemon (fsavd) cannot be done properly in your environment.
    There is a possibility that it is caused by the missing libraries or system related issues such as server high load and etc.

    Information about the necessary libraries can be checked from the following pre-installation checklist page.
    There is no information for 'Fedora' because that distribution is not supported by Linux Security version 11.00.

    URL of pre-installation checklist:
    https://community.f-secure.com/t5/Business/Pre-installation-checklist-for-F/ta-p/76128

    Hence, we would recommend you to install and use Linux Security version 11.00 only in the supported Linux environments which are listed in the release notes below.

    URL of release notes:
    https://download.f-secure.com/corpro/ls/current/fsls-11.00-rtm-release-notes.html

    Related information:
    --------------------------------------------------------------------------------------------------------------------------

    Supported Linux distributions

    The following 32-bit Linux distributions are supported:

        CentOS 6.0-6.7
        Debian 7.0-7.9
        Debian 8.0, 8.1 **
        Oracle Linux 6.6, 6.7 RHCK*
        Red Hat Enterprise Linux 6.0-6.7
        SUSE Linux Enterprise Server 11 SP1, SP3, SP4
        Ubuntu 12.04.(1-5) 14.04.(1-3)

    The following 64-bit (AMD64/EM64T) distributions are supported:

        CentOS 6.0-6.7, 7.0-7.1
        Debian 7.0-7.9
        Debian 8.0, 8.1 **
        Oracle Linux 6.6, 6.7 RHCK *
        Oracle Linux 7.1 UEK
        RHEL 6.0-6.7, 7.0-7.1
        SUSE Linux Enterprise Server 11 SP1, SP3, SP4
        SUSE Linux Enterprise Server 12
        Ubuntu 12.04.(1-5), 14.04.(1-3)

    *) Red Hat compatible kernel (kernel-2.6.32-573.el6)

    **) The on-access scanning is not supported on Debian 8 because the kernel configuration has fanotify disabled by default.
    --------------------------------------------------------------------------------------------------------------------------

    Apart from that, we do not provide any explicit support for the third party applications such as Amavis.
    Due to this, 'fsav' command-line of Linux Security version 11.00 might work or might not work for such implementation.

  • Tetra
    Tetra W/ Alumni Posts: 1 Security Scout

    Is the damon really listening? Are rights set up correctly? SElinux?

     

    I'm testing out a Zimbra mailserver setup now that uses amavis-new, but not the daemon, it calls fsav for each mail.

     

    It has been running F-Secure 9.20 and I'm checking how to install 11.0 and if there are any changes needed.

     

    The entry for F-Secure in the amavisd.conf here looks like this:

     

      ### http://www.f-secure.com/ version 9.14
       ['F-Secure Linux Security',
        ['/opt/f-secure/fsav/bin/fsav', 'fsav'],
        '--virus-action1=report --archive=yes --auto=yes '.
        '--list=no --nomimeerr {}', [0], [3,4,6,8],
        qr/(?:infection|Infected|Suspected|Riskware): (.+)/m ],
        # NOTE: internal archive handling may be switched off by '--archive=no'
        #   to prevent fsav from exiting with status 9 on broken archives

    Making a test file with an eicar virus signature and running the command from the conf file from the command line instead:

     

    fsav --virus-action1=report --archive=yes --auto=yes --nomimeerr /tmp/eicar

    works:

    # fsav --virus-action1=report --archive=yes --auto=yes --nomimeerr /tmp/eicar
    F-Secure Anti-Virus CLI version 1.0  build 0060
    
    Scan started at Mon Sep 26 11:22:49 2016
    Database version: 2016-09-26_05
    
    /tmp/eicar: Infected: EICAR_Test_File [FSE]
    /tmp/eicar: Infected: EICAR-Test-File (not a virus) [Aquarius]
    
    Scan ended at Mon Sep 26 11:22:50 2016
    1 file scanned
    1 file infected

    And sending it to Zimbra -> amavisd

    /var/log/zimbra.log
    Sep 26 11:00:33 inf-tst-zim01 amavis[27102]: (27102-01) SW0urtz1wlB8(6MP4u-eOSv33) SEND from <admin@inf-tst-zim01.example.net> -> <nobody@example.net>, ENVID=AM.SW0urtz1wlB8.20160926T090033Z@inf-tst-zim01.example.net 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as C1589C0CC7
    Sep 26 11:00:33 inf-tst-zim01 amavis[27102]: (27102-01) Blocked INFECTED (EICAR_Test_File [FSE], EICAR-Test-File (not a virus) [Aquarius]) {DiscardedInternal,Quarantined}, ORIGINATING/MYNETS LOCAL [10.7.50.228]:46266 <root@inf-tst-zim01.example.net> -> <nobody@example.net>, quarantine: virus-quarantine.nrkaogzzy@inf-tst-zim01.example.net, Queue-ID: 3CE1DC0CB4, Message-ID: <20160926090030.3CE1DC0CB4@inf-tst-zim01.example.net>, mail_id: 6MP4u-eOSv33, Hits: -, size: 557, 3531 ms

     

     

This discussion has been closed.