Writing support for new scanners

Nick Phillips nwp at LEMON-COMPUTING.COM
Sat Jun 15 11:33:42 IST 2002

On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote:

> I will try to figure out how to add support for this scanner in
> weeks to come.

Well, feel free. Here are some guidelines that I've been working on for
you and any other prospective scanner-support-writers out there...

* Tips for writing scanner support:
  * "print STDERR $line" is your friend.
  * Always parse *every* line of output from the scanner, and
    die if you don't understand it.
  * Be *extremely* anal when writing regexps, especially with
    quantities of whitespace.
  * Only use wildcards to match the filename part of the output,
    *never* to match whitespace or boilerplate text (think about
    what might happen if the filename has a trailing <space> character).
  * At least one scanner prints "<cr><space>...<space><cr>"
    before outputting its results -- be *sure* what the scanner's
    output format really is.
  * Be sure that you know how your scanner reports infections
    within archives; they can easily be mis-parsed.
  * Use comments to document any oddities that could confuse
    your parser; that way we might be able to ensure that they
    don't happen in future.
  * Use comments to document the output format you are expecting
    from the scanner so that when it changes, debugging is quicker.
  * Watch out for scanners reporting different categories of Bad
    Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
    is a good idea to run "strings" over a core dump from the scanner
    to get clues as to what may be reported if you're not sure.

And a few more that I haven't added to that list yet:

  * Include examples (directly from *real output*) of output formats
    in comments in your code.
  * Aim to include only parameters which are necessary in the parameter
    lists in the code; put the rest in the wrapper script, with comments -
    see the F-Prot or Kaspersky wrapper scripts for examples.
  * Run the scanner in the "C" locale (clear all LC_* environment variables,
    and LANG -- or set LANG to "C").
  * Please try to comment your code in English - that's what Jules and I
    speak, so it's what we need in comments when we're trying to work out
    what's going on (I can handle French, or some German, but anything else
    is likely not helpful).
  * Please indicate in the comments *exactly* which versions of the scanner
    in question your code has been tested with, which versions you expect it
    to work with, and which versions any example output was generated by.

Err, that's all I can think of at the moment.



Nick Phillips -- nwp at lemon-computing.com
Tomorrow will be cancelled due to lack of interest.

More information about the MailScanner mailing list