preliminary Trend Interscan/Filescan support

Stephane Lentz Stephane.Lentz at ANSF.ALCATEL.FR
Mon Aug 12 20:21:25 IST 2002 

Julian, Nick and other Mailscanner users,

I've started to add support for Trend Micro Interscan /
Filescan (both come with the command scanner /etc/iscan/vscan).
The filescanner is free for personnal use and there is some
evaluation version for Interscan Viruswall which can be
downloaded at http://www.antivirus.com/download (versions exist
for HP-UX, Linux, Solaris.

Here's attached a diff of sweep.pl for MailScanner-3.22-11 and
the wrapper script.

It's not working completely yet : I'm getting some errors I
don't understand while sending some viruses :
i
in the syslog log I get :
Aug 12 21:22:05 angel mailscanner[4648]: Going to scan 1 messages
Aug 12 21:22:05 angel mailscanner[4648]: Commencing scanning by trend...
Aug 12 21:22:06 angel mailscanner[4648]: *** Found virus WORM_FRETHEM.L in file /var/spool/MailScanner/incoming/g7CJLkJs004645/sample
Aug 12 21:22:06 angel mailscanner[4648]: Completed scanning by trend
Aug 12 21:22:06 angel mailscanner[4648]: Found 1 viruses in messages var
Aug 12 21:22:06 angel mailscanner[4648]: Scanned 1 messages, 68245 bytes in 1 seconds
Aug 12 21:22:06 angel mailscanner[4648]: Saved infections to /var/spool/MailScanner/quarantine/20020812/var
Aug 12 21:22:06 angel mailscanner[4648]: About to deliver 1 messages
Aug 12 21:22:06 angel mailscanner[4648]: Deleting unparsable message var from queue
Aug 12 21:22:06 angel mailscanner[4648]: About to deliver 1 messages
Aug 12 21:22:06 angel mailscanner[4648]: Notified postmaster about 1 infections
Aug 12 21:22:06 angel mailscanner[4648]: Looks like a problem... dumping status information
Aug 12 21:22:06 angel mailscanner[4648]: Minimum acceptable stability = 4 (supported)
Aug 12 21:22:06 angel mailscanner[4648]: Using Scanner "trend"
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "antivir": scanning code status 1 - disinfect code status 1
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "f-secure": scanning code status 3 - disinfect code status 3
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "none": scanning code status 0 - disinfect code status 0
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "nod32": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "inoculate": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "inoculan": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "mcafee": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "panda": scanning code status 1 - disinfect code status 1
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "kaspersky": scanning code status 3 - disinfect code status 2
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "rav": scanning code status 1 - disinfect code status 1
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "sophos": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "trend": scanning code status 4 - disinfect code status 2
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "command": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: Scanner "f-prot": scanning code status 4 - disinfect code status 4
Aug 12 21:22:06 angel mailscanner[4648]: FATAL: Encountered code that does not meet configured acceptable stability
Aug 12 21:22:06 angel mailscanner[4648]: FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml

=> I don't get it. Why "Deleting unparsable message var from queue" ?

The mail I get back is :
=============
Date: Mon, 12 Aug 2002 21:22:06 +0200
From: "MailScanner" <postmaster at angel.faithnomore.org>
Subject: Warning: E-mail viruses detected
To: postmaster at angel.faithnomore.org

The following e-mail messages were found to have viruses in them:

   Sender:
Recipient:
  Subject:
MessageID: var
   Report: *** Found virus WORM_FRETHEM.L in file /var/spool/MailScanner/incoming/g7CJLkJs004645/sample

--
MailScanner
Email Virus Scanner
=============



>From time to time while restarting mailscanner (I've not launched it through some cron) I also get :
( cd  /  ; /opt/mailscanner/bin/mailscanner  )
In Debugging mode, not forking...
/bin/cp: cannot stat `/var/spool/MailScanner/incoming/var/spool': No such file or directory
FATAL: *Please go and READ* http://www.sng.ecs.soton.ac.uk/mailscanner/install/codestatus.shtml at /opt/mailscanner/bin/logger.pl line 64.

regards,

SL/
---
Stephane Lentz / Alcanet International - Internet Services
-------------- next part --------------
--- sweep.pl.orig       Mon Aug 12 19:09:33 2002
+++ sweep.pl    Mon Aug 12 19:40:45 2002
@@ -173,6 +173,16 @@
     SupportScanning    => $S_UNSUPPORTED,
     SupportDisinfect   => $S_UNSUPPORTED,
   },
+  "trend"      => {
+    Lock               => 'Trend.lock',
+    CommonOptions      => '-a',
+    DisinfectOptions   => '-c',
+    ScanOptions                => '',
+    InitParser         => \&InitTrendParser,
+    ProcessOutput      => \&ProcessTrendOutput,
+    SupportScanning    => $S_SUPPORTED,
+    SupportDisinfect   => $S_ALPHA,
+  },
   "none"               => {
     Lock               => 'NoneBusy.lock',
     CommonOptions      => '',
@@ -507,6 +517,11 @@
   ;
 }

+# Initialise any state variables the RAV output parser uses
+sub InitTrendParser {
+  ;
+}
+
 # These functions must be called with, in order:
 # * The line of output from the scanner
 # * A reference to the hash containing problem details
@@ -1009,6 +1024,57 @@
     $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender
     return 1;
   }
+  return 0;
+}
+
+sub ProcessTrendOutput {
+  my($line, $infections, $types, $BaseDir) = @_;
+
+  my($report, $infected, $dot, $id, $part, @rest);
+
+# Sample output:
+#
+# [root at angel bin]# /etc/iscan/vscan -a  /root/sample
+# Virus Scanner v3.1, VSAPI v6.150-1001
+# Trend Micro Inc. 1996,1997
+#         Pattern version 333
+#         Pattern number 46783
+# Configuration: -a -r -nl -c1 -c2 -u -s
+#         /root/sample
+#                 check compressed file:No_Name
+#                 decompress ok:No_Name
+#                 check compressed file:decrypt-password.exe
+#                 decompress ok:decrypt-password.exe
+# *** Found virus WORM_FRETHEM.L in file /root/sample
+# ***      1 decrypt-password.exe in /root/sample(type Mime Base 64)
+
+# ==============================
+# Directory:
+#         Searched : 0
+# File:
+#         Searched : 1
+#             Scan : 1
+#         Infected : 1
+#         Infected : 1(Include files been compressed)
+# Time:
+#         Start : 8/12/02 19:16:15
+#          Stop : 8/12/02 19:16:15
+#          Used : 00:00
+
+  chomp $line;
+
+  Log::WarnLog($line) if $line =~ /read pattern failed/i;
+  return 0 unless $line =~ /Found virus/i;
+  Log::InfoLog($line);
+  $report = $line;
+  $infected = $line;
+  $infected =~ s/^.*Found\s*in\s*file\s*//i;
+ #  if ($line =~ /\*\*\* Found virus (.*) in file (.*)/i) {
+    ($dot,$id,$part, at rest) = split(/\//, $infected);
+    $infections->{"$id"}{"$part"} .= $report . "\n";
+    $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender
+    return 1;
+
   return 0;
 }

-------------- next part --------------
#!/bin/sh

#   MailScanner - SMTP E-Mail Virus Scanner
#   Copyright (C) 2001  Julian Field
#
#   This program is free software; you can redistribute it and/or modify
#   it under the terms of the GNU General Public License as published by
#   the Free Software Foundation; either version 2 of the License, or
#   (at your option) any later version.
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
#
#   The author, Julian Field, can be contacted by email at
#      Jules at JulianField.net
#   or by paper mail at
#      Julian Field
#      Dept of Electronics & Computer Science
#      University of Southampton
#      Southampton
#      SO17 1BJ
#      United Kingdom
#


PackageDir=/etc/iscan
prog=vscan # `basename $0`
datDIR=$PackageDir

# Dynamic lib : libvsapi.so
LD_LIBRARY_PATH=$PackageDir
export LD_LIBRARY_PATH

exec ${PackageDir}/$prog  "$@"

More information about the MailScanner mailing list