http:// / simscan / troubleshooting.shtml

simscan Troubleshooting

A lot of people seem to have problems getting simscan up and running the first time. In most cases these problems revolve around the different programs involved (simscan, clamd, etc.) running as different userids. I've seen and heard of people who resort to things as insecure as making clamd run as root, or forcing all of the programs to run as the vpopmail user, in order to "make it work". The problem is not limited to simscan- the same issue affects qmail-scanner, and for many people (especially users of the "qmailrocks" guide) it affects how the SMTP "AUTH" command is validated as well.

The various programs involved (simscan, clamd, vpopmail, etc.) are all specifically DESIGNED to run as different userids, for security reasons. This is to limit the amount of damage that an attacker using some currently unknown bug (aka "zero day" vulnerability, because you'll have zero days' notice before a real attack starts happening on the open internet) will be able to do.

For example, if somebody were to find a bug in clamd and build a message which caused clamd to do something bad when scanning the message, all they would have to do is send that message to a user on your server and your clamd would be doing something on their behalf, without your knowledge or authorization. If clamd is running as root, you will have just allowed this attacker to do whatever they want on your server.

Even if it's not running as root... if everything is running as the vpopmail user, they could go through all of your users' mailboxes and harvest email addresses for a spammer, they could grab a list of all of your users and their passwords (you ARE encrypting your users' passwords, right?) and use your server as a spam relay by using one or all of your users' passwords withan AUTH command, they could be targeting one specific user and be able to read all of that user's mail without their knowledge or consent, or they could just be malicious and DELETE all of your users' mailboxes.

Issues with clamav 0.90 and higher

Two of the most common problems involve clamav version 0.90 or higher. One is the error message "configure: error: Unable to find your clamav databases, specify --enable-clamavdb-path." when running the "./configure" command. The other is that if you have upgraded clamav from an earlier version to version 0.90 or higher, the virus database numbers in the email headers suddenly stop working (or the versions which appear in the simversions.cdb file no longer appear, and you just see something like "0.90/m:" in there instead.)

These issues are both caused by the same problem.

When clamav version 0.90 was released, they changed the location and format of the virus definition files. The "simscanmk" program needs to know where to find these files in order to read the versions and build the simversion.cdb file.

I have written a patch which fixes this issue. Note that after applying this patch, you need to run the "autoconf" command to re-generate the "configure" script.

Issues with User IDs and permissions

The simscan and clamav programs are both designed to run as their own dedicated non-root user, in order to limit the amount of damage which can be done by a bug in either program. The design is that the "simscan" user will expand the incoming message into a set of files stored in a temporary directory, and the "clamav" user will need to READ those files in order to scan them for viruses.

In order for this to happen safely, ALL of the following conditions must be true:

Extra debugging information

You may also wish to install the debug patch I wrote for simscan 1.3.1. This patch enables two different types of "extra debugging".

The first change is, if you set SIMSCAN_DEBUG=3, simscan will log the actual text returned by clamdscan. This may show you more information about why clamdscan and clamd are having problems scanning the files created by simscan.

The other change is, if you set SIMSCAN_DEBUG_FILES=1, simscan will NOT delete the temporary directory it creates for each messages, or the files within that directory, when clamdscan returns an error. This allows you to see exactly what simscan did or did not do. If you set SIMSCAN_DEBUG_FILES=2, simscan will not delete these temporary files for ANY messages.

I've sent the patch to the simcan developers, if they add it to a future version then there won't be any need for a patch, and you can just follow these directions to see the extra information.