preliminary Trend Interscan/Filescan support

Stephane Lentz Stephane.Lentz at ANSF.ALCATEL.FR
Tue Aug 13 20:03:02 IST 2002 

Hi,

On Mon, Aug 12, 2002 at 08:54:28PM +0100, Julian Field wrote:
> At 20:21 12/08/2002, you wrote:
> >Julian, Nick and other Mailscanner users,
> >
> >I've started to add support for Trend Micro Interscan /
> >Filescan (both come with the command scanner /etc/iscan/vscan).
> >The filescanner is free for personnal use and there is some
> >evaluation version for Interscan Viruswall which can be
> >downloaded at http://www.antivirus.com/download (versions exist
> >for HP-UX, Linux, Solaris.
> >
> >Here's attached a diff of sweep.pl for MailScanner-3.22-11 and
> >the wrapper script.
> >
> >It's not working completely yet : I'm getting some errors I
> >don't understand while sending some viruses :
>
> You need to remove all of the directory components from the filename
> reported by Trend. Take a look at the McAfee parser, it removes all the
> leading directory components for exactly the same reason. That will solve
> most/all of your problems.
>

=> Got it fixed.
New diff attached.

The messages generated to the postmaster and originator look ok.
$report includes only the attachment name (without the
$id/ suffix). The "***" could be removed maybe.

Date: Tue, 13 Aug 2002 21:01:45 +0200
From: "MailScanner" <postmaster at angel.faithnomore.org>
Subject: Warning: E-mail viruses detected
To: postmaster at angel.faithnomore.org

The following e-mail messages were found to have viruses in them:

   Sender: <Stephane.Lentz at ansf.alcatel.fr>
Recipient: <root at angel.faithnomore.org>
  Subject: test bad stuff
MessageID: g7DJ1MXs003992
   Report: *** Found virus WORM_FRETHEM.L in file sample

Date: Tue, 13 Aug 2002 21:01:44 +0200
From: "MailScanner" <postmaster at angel.faithnomore.org>
To: <Stephane.Lentz at ansf.alcatel.fr>
Subject: Warning: E-mail viruses detected

Our virus detector has just been triggered by a message you sent:-
  To: <root at angel.faithnomore.org>
  Subject: test bad stuff
  Date: Tue Aug 13 21:01:44 2002
Any infected parts of the message have not been delivered.

This message is simply to warn you that your computer system may have a
virus present and should be checked.

The virus detector said this about the message:
Report: *** Found virus WORM_FRETHEM.L in file sample


--
MailScanner
Email Virus Scanner

--

---
Stephane Lentz / Alcanet International - Internet Services
-------------- next part --------------
--- sweep.pl.orig       Mon Aug 12 19:09:33 2002
+++ sweep.pl    Tue Aug 13 20:46:24 2002
@@ -173,6 +173,16 @@
     SupportScanning    => $S_UNSUPPORTED,
     SupportDisinfect   => $S_UNSUPPORTED,
   },
+  "trend"      => {
+    Lock               => 'Trend.lock',
+    CommonOptions      => '-a',
+    DisinfectOptions   => '-c',
+    ScanOptions                => '',
+    InitParser         => \&InitTrendParser,
+    ProcessOutput      => \&ProcessTrendOutput,
+    SupportScanning    => $S_SUPPORTED,
+    SupportDisinfect   => $S_ALPHA,
+  },
   "none"               => {
     Lock               => 'NoneBusy.lock',
     CommonOptions      => '',
@@ -507,6 +517,11 @@
   ;
 }

+# Initialise any state variables the Trend output parser uses
+sub InitTrendParser {
+  ;
+}
+
 # These functions must be called with, in order:
 # * The line of output from the scanner
 # * A reference to the hash containing problem details
@@ -1010,6 +1025,61 @@
     return 1;
   }
   return 0;
+}
+
+sub ProcessTrendOutput {
+  my($line, $infections, $types, $BaseDir) = @_;
+
+  my($report, $infected, $dot, $id, $part, @rest);
+
+# Sample output:
+#
+# [root at angel bin]# /etc/iscan/vscan -a  /root/sample
+# Virus Scanner v3.1, VSAPI v6.150-1001
+# Trend Micro Inc. 1996,1997
+#         Pattern version 333
+#         Pattern number 46783
+# Configuration: -a -r -nl -c1 -c2 -u -s
+#         /root/sample
+#                 check compressed file:No_Name
+#                 decompress ok:No_Name
+#                 check compressed file:decrypt-password.exe
+#                 decompress ok:decrypt-password.exe
+# *** Found virus WORM_FRETHEM.L in file /root/sample
+# ***      1 decrypt-password.exe in /root/sample(type Mime Base 64)
+
+# ==============================
+# Directory:
+#         Searched : 0
+# File:
+#         Searched : 1
+#             Scan : 1
+#         Infected : 1
+#         Infected : 1(Include files been compressed)
+# Time:
+#         Start : 8/12/02 19:16:15
+#          Stop : 8/12/02 19:16:15
+#          Used : 00:00
+
+  chomp $line;
+
+  Log::WarnLog($line) if $line =~ /read pattern failed/i;
+  return 0 unless $line =~ /Found virus/i;
+  Log::InfoLog($line);
+  $line =~ s/$BaseDir\///;
+  $report = $line;
+  $infected = $line;
+  # Now we get id($2) part($3) virusname($1)
+  $infected =~ s/^.* Found virus (.*) in file (.*)\/(.*)/$2 $3 $1/i;
+ #  if ($line =~ /\*\*\* Found virus (.*) in file (.*)/i) {
+    ($id,$part, at rest) = split(/\s+/, $infected);
+ # print STDERR "infected=$infected\n";
+    $report =~ s/$id\///;
+    $infections->{"$id"}{"$part"} .= $report . "\n";
+    $types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender
+  # print STDERR "id=$id,part=$part,dot=$dot\n";
+    return 1;
+
 }

More information about the MailScanner mailing list