Jump to content
zerb_at_work

Kaspersky Mail Security 8.0 with amavis fails [In progress]

Recommended Posts

Hello,

 

I am evaluating Kaspersky Mail Security 8.0 for Linux on a Debian Wheezy system for antivirus checking. The server runs Postfix as the MTA and amavisd-new in a before-queue smtp-filter setup.

 

/etc/amavis/conf.d/15-av_scanners contains:

 

@av_scanners = (

### http://www.kaspersky.com/ Kaspersky Security 8.0 for Linux Mail Server

[ 'Kaspersky Mail Security 8.0 TR for Linux',

\&ask_daemon, ["nCONTSCAN {}\n", '/var/run/klms/rds_av'],

qr/\bOK$/m, qr/\bFOUND$/m,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/m,

],

);

 

and

 

@av_scanners_backup = (

### http://www.kaspersky.com/

['Kaspersky Security 8.0 for Linux Mail Server',

['/opt/kaspersky/klms/bin/kavscanner'],

'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],

qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,

sub {chdir('/opt/kaspersky/klms/bin') or die "Can't chdir to kav: $!"},

sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

],

);

 

Kaspersky Mail Security 8.0 has been installed and configured following the Administration Guide for manual integration.

 

# id amavis

uid=106(amavis) gid=110(amavis) groups=110(amavis),111(klusers)

# id kluser

uid=107(kluser) gid=111(klusers) groups=111(klusers),110(amavis)

# getent group amavis

amavis:x:110:kluser

# getent group klusers

klusers:x:111:kluser,amavis

 

Apr 14 17:46:22 ikes19 amavis[3338]: Net::Server: Group Not Defined. Defaulting to EGID '110 110'

Apr 14 17:46:22 ikes19 amavis[3338]: Net::Server: User Not Defined. Defaulting to EUID '106'

 

When mail gets handled by amavis both AV scanner calls fail due to permission problems:

 

Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) Kaspersky Mail Security 8.0 TR for Linux: All attempts (1) failed connecting to /var/run/klms/rds_av, retrying (1)

Apr 14 17:14:30 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:30 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Mail Security 8.0 TR for Linux: All attempts (1) failed connecting to /var/run/klms/rds_av, retrying (2)

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Mail Security 8.0 TR for Linux av-scanner FAILED: run_av error: Too many retries to talk to /var/run/klms/rds_av (All attempts (1) failed connecting to /var/run/klms/rds_av) at (eval 111) line 603.\n

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)WARN: all primary virus scanners failed, considering backups

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)run_av (Kaspersky Security 8.0 for Linux Mail Server) FAILED - unexpected exit 30, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCannot create /var/log/kaspersky/klms/kavscanner.log"

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Security 8.0 for Linux Mail Server av-scanner FAILED: /opt/kaspersky/klms/bin/kavscanner unexpected exit 30, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCannot create /var/log/kaspersky/klms/kavscanner.log" at (eval 111) line 899.

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!!)AV: ALL VIRUS SCANNERS FAILED

 

# ls -ld / /var /var/run /var/run/klms

drwxr-xr-x 24 root root 4096 Mar 27 16:24 /

drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var

lrwxrwxrwx 1 root root 4 Mar 24 16:00 /var/run -> /run

drwxrwx--- 2 kluser klusers 1980 Apr 14 18:25 /var/run/klms

# ls -al /var/run/klms/rds_av

srw-rw---- 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/rds_av

 

Those are the default permissions and amavis being part of the klusers group has full group permissions for /var/run/klms and has read+write permissions for the rds_av socket.

 

So why does that fail?

 

# ls -ld / /var /var/log /var/log/kaspersky /var/log/kaspersky/klms

drwxr-xr-x 24 root root 4096 Mar 27 16:24 /

drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var

drwxr-xr-x 8 root root 4096 Apr 14 06:25 /var/log

drwxr-x--- 3 kluser klusers 4096 Mar 27 16:16 /var/log/kaspersky

drwxr-x--- 2 kluser klusers 4096 Apr 14 17:27 /var/log/kaspersky/klms

 

The directory permission for /var/log/kaspersky/klms are not sufficient for the klusers group to write a new log file kavscanner.log. Failure explained. But it is not sufficient to give write permissions for the klusers group to the destination directory. It is necessary to give everyone write and access permissions to the target directory and /var/log/kaspersky.

 

Then the error regarding the secondary scanner call for kavscanner changes to following error:

 

Apr 14 18:44:55 ikes19 amavis[3419]: (03419-04) (!)run_av (Kaspersky Security 8.0 for Linux Mail Server) FAILED - unexpected exit 50, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCan't connect to facade: /tmp/automate-temp.1391161778.12868/lms-control/lms_utils/source/root_service_locator.cpp:388: EsmRootServiceLocator::Construct\n\rLoading bases error(Engine not ready)"

Apr 14 18:44:55 ikes19 amavis[3419]: (03419-04) (!)Kaspersky Security 8.0 for Linux Mail Server av-scanner FAILED: /opt/kaspersky/klms/bin/kavscanner unexpected exit 50, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCan't connect to facade: /tmp/automate-temp.1391161778.12868/lms-control/lms_utils/source/root_service_locator.cpp:388: EsmRootServiceLocator::Construct\n\rLoading bases error(Engine not ready)" at (eval 111) line 899.

 

# ls -al /var/run/klms/facade

srwxr-xr-x 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/facade

 

I like to avoid the to be expected ping-pong game (Kaspersky is saying amavisd-new is guilty, and amavisd-new is pointing to Kaspersky) and hope someone can give a wise hint what to do. It is not simply extending the permissions as that imposes a security dilemma on a malware scanning system.

 

Thanks in advance for caring.

Share this post


Link to post
Hello,

 

I am evaluating Kaspersky Mail Security 8.0 for Linux on a Debian Wheezy system for antivirus checking. The server runs Postfix as the MTA and amavisd-new in a before-queue smtp-filter setup.

 

/etc/amavis/conf.d/15-av_scanners contains:

 

@av_scanners = (

### http://www.kaspersky.com/ Kaspersky Security 8.0 for Linux Mail Server

[ 'Kaspersky Mail Security 8.0 TR for Linux',

\&ask_daemon, ["nCONTSCAN {}\n", '/var/run/klms/rds_av'],

qr/\bOK$/m, qr/\bFOUND$/m,

qr/^.*?: (?!Infected Archive)(.*) FOUND$/m,

],

);

 

and

 

@av_scanners_backup = (

### http://www.kaspersky.com/

['Kaspersky Security 8.0 for Linux Mail Server',

['/opt/kaspersky/klms/bin/kavscanner'],

'-i0 -xn -xp -mn -R -ePASBME {}/*', [0,10,15], [5,20,21,25],

qr/(?:INFECTED|WARNING|SUSPICION|SUSPICIOUS) (.*)/m,

sub {chdir('/opt/kaspersky/klms/bin') or die "Can't chdir to kav: $!"},

sub {chdir($TEMPBASE) or die "Can't chdir back to $TEMPBASE $!"},

],

);

 

Kaspersky Mail Security 8.0 has been installed and configured following the Administration Guide for manual integration.

 

# id amavis

uid=106(amavis) gid=110(amavis) groups=110(amavis),111(klusers)

# id kluser

uid=107(kluser) gid=111(klusers) groups=111(klusers),110(amavis)

# getent group amavis

amavis:x:110:kluser

# getent group klusers

klusers:x:111:kluser,amavis

 

Apr 14 17:46:22 ikes19 amavis[3338]: Net::Server: Group Not Defined. Defaulting to EGID '110 110'

Apr 14 17:46:22 ikes19 amavis[3338]: Net::Server: User Not Defined. Defaulting to EUID '106'

 

When mail gets handled by amavis both AV scanner calls fail due to permission problems:

 

Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:29 ikes19 amavis[4265]: (04265-01) Kaspersky Mail Security 8.0 TR for Linux: All attempts (1) failed connecting to /var/run/klms/rds_av, retrying (1)

Apr 14 17:14:30 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:30 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Mail Security 8.0 TR for Linux: All attempts (1) failed connecting to /var/run/klms/rds_av, retrying (2)

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)connect to /var/run/klms/rds_av failed, attempt #1: Can't connect to UNIX socket /var/run/klms/rds_av: Permission denied

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Mail Security 8.0 TR for Linux av-scanner FAILED: run_av error: Too many retries to talk to /var/run/klms/rds_av (All attempts (1) failed connecting to /var/run/klms/rds_av) at (eval 111) line 603.\n

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)WARN: all primary virus scanners failed, considering backups

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)run_av (Kaspersky Security 8.0 for Linux Mail Server) FAILED - unexpected exit 30, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCannot create /var/log/kaspersky/klms/kavscanner.log"

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!)Kaspersky Security 8.0 for Linux Mail Server av-scanner FAILED: /opt/kaspersky/klms/bin/kavscanner unexpected exit 30, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCannot create /var/log/kaspersky/klms/kavscanner.log" at (eval 111) line 899.

Apr 14 17:14:36 ikes19 amavis[4265]: (04265-01) (!!)AV: ALL VIRUS SCANNERS FAILED

 

# ls -ld / /var /var/run /var/run/klms

drwxr-xr-x 24 root root 4096 Mar 27 16:24 /

drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var

lrwxrwxrwx 1 root root 4 Mar 24 16:00 /var/run -> /run

drwxrwx--- 2 kluser klusers 1980 Apr 14 18:25 /var/run/klms

# ls -al /var/run/klms/rds_av

srw-rw---- 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/rds_av

 

Those are the default permissions and amavis being part of the klusers group has full group permissions for /var/run/klms and has read+write permissions for the rds_av socket.

 

So why does that fail?

 

# ls -ld / /var /var/log /var/log/kaspersky /var/log/kaspersky/klms

drwxr-xr-x 24 root root 4096 Mar 27 16:24 /

drwxr-xr-x 11 root root 4096 Mar 27 16:16 /var

drwxr-xr-x 8 root root 4096 Apr 14 06:25 /var/log

drwxr-x--- 3 kluser klusers 4096 Mar 27 16:16 /var/log/kaspersky

drwxr-x--- 2 kluser klusers 4096 Apr 14 17:27 /var/log/kaspersky/klms

 

The directory permission for /var/log/kaspersky/klms are not sufficient for the klusers group to write a new log file kavscanner.log. Failure explained. But it is not sufficient to give write permissions for the klusers group to the destination directory. It is necessary to give everyone write and access permissions to the target directory and /var/log/kaspersky.

 

Then the error regarding the secondary scanner call for kavscanner changes to following error:

 

Apr 14 18:44:55 ikes19 amavis[3419]: (03419-04) (!)run_av (Kaspersky Security 8.0 for Linux Mail Server) FAILED - unexpected exit 50, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCan't connect to facade: /tmp/automate-temp.1391161778.12868/lms-control/lms_utils/source/root_service_locator.cpp:388: EsmRootServiceLocator::Construct\n\rLoading bases error(Engine not ready)"

Apr 14 18:44:55 ikes19 amavis[3419]: (03419-04) (!)Kaspersky Security 8.0 for Linux Mail Server av-scanner FAILED: /opt/kaspersky/klms/bin/kavscanner unexpected exit 50, output="Kaspersky Anti-Virus On-Demand Scanner.\nCopyright © Kaspersky Lab, 1997-2012.\nCan't connect to facade: /tmp/automate-temp.1391161778.12868/lms-control/lms_utils/source/root_service_locator.cpp:388: EsmRootServiceLocator::Construct\n\rLoading bases error(Engine not ready)" at (eval 111) line 899.

 

# ls -al /var/run/klms/facade

srwxr-xr-x 1 kluser klusers 0 Apr 14 17:47 /var/run/klms/facade

 

I like to avoid the to be expected ping-pong game (Kaspersky is saying amavisd-new is guilty, and amavisd-new is pointing to Kaspersky) and hope someone can give a wise hint what to do. It is not simply extending the permissions as that imposes a security dilemma on a malware scanning system.

 

Thanks in advance for caring.

 

Hello.

 

We have sent a request to the experts regarding your inquiry.

As soon as we have any info from them, we will update the topic.

Thank you!

 

Share this post


Link to post
Hi,

 

Please update KLMS to the most recent version and tru to reproduce the problem.

 

Please inform us about result.

 

Thanks for your reply.

 

Can you please tell me where to get a more recent version than that offered on

 

http://www.kaspersky.com/de/downloads/prod...x-mail-security

 

and installed: 8.0.1.705?

 

# dpkg -l klms

Desired=Unknown/Install/Remove/Purge/Hold

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend

|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)

||/ Name Version Architecture Description

+++-===========================-==================-==================-===========================================================

ii klms 8.0.1-705 i386 Kaspersky Security 8.0 for Linux Mail Server

 

All trouble is based on that version. No previous version had been installed before.

 

Kind regards

 

 

Share this post


Link to post
Thanks for your reply.

 

Can you please tell me where to get a more recent version than that offered on

 

http://www.kaspersky.com/de/downloads/prod...x-mail-security

 

and installed: 8.0.1.705?

 

# dpkg -l klms

Desired=Unknown/Install/Remove/Purge/Hold

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend

|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)

||/ Name Version Architecture Description

+++-===========================-==================-==================-===========================================================

ii klms 8.0.1-705 i386 Kaspersky Security 8.0 for Linux Mail Server

 

All trouble is based on that version. No previous version had been installed before.

 

Kind regards

Hello!

Please kindly check your PM for an utility to collect some diagnostic info for us to investigate. Please do not post the collected info on forum!

Kindly attach it to a new request in your CompanyAccount and let us know your INC number.

Thank you!

 

Share this post


Link to post

The problem is not within the AV, rather in Amavis.

Amavisd drops privileges with Perl::POSIX setuid and setgid functions with exactly one UID/GID (defaults to amavis:amavis). If you add amavis to group klusers then you can access the socket from shell because of UNIX/Linux "multi group" membership. In Perl there is no way to make this (at least not in amavisd), so if you want to use Kaspersky AV with amavis, set the "$daemon_group" variable to "klusers", then restart amavisd-new. It will work.

Edited by Peter Timar

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.