Writing support for new scanners
Francois Caen
FCaen at CI.LAKEWOOD.WA.US
Mon Jun 17 16:56:08 IST 2002
Since the question "how do I add support for anti-virus XYZ?" comes back so often and you took the time to write those instructions, maybe Julian should add them to the Mailscanner site?
------------------------------------------------
Francois Caen
Network Information Systems Engineer - Webmaster
City of Lakewood, WA
(253) 512-2269
-----Original Message-----
From: nwp at LEMON-COMPUTING.COM
Sent: Saturday, June 15, 2002 3:34 AM
To: <MAILSCANNER at JISCMAIL.AC.UK>
Subject: [MAILSCANNER] Writing support for new scanners
On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote:
> I will try to figure out how to add support for this scanner in
> weeks to come.
Well, feel free. Here are some guidelines that I've been working on for
you and any other prospective scanner-support-writers out there...
* Tips for writing scanner support:
* "print STDERR $line" is your friend.
* Always parse *every* line of output from the scanner, and
die if you don't understand it.
* Be *extremely* anal when writing regexps, especially with
quantities of whitespace.
* Only use wildcards to match the filename part of the output,
*never* to match whitespace or boilerplate text (think about
what might happen if the filename has a trailing <space> character).
* At least one scanner prints "<cr><space>...<space><cr>"
before outputting its results -- be *sure* what the scanner's
output format really is.
* Be sure that you know how your scanner reports infections
within archives; they can easily be mis-parsed.
* Use comments to document any oddities that could confuse
your parser; that way we might be able to ensure that they
don't happen in future.
* Use comments to document the output format you are expecting
from the scanner so that when it changes, debugging is quicker.
* Watch out for scanners reporting different categories of Bad
Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
is a good idea to run "strings" over a core dump from the scanner
to get clues as to what may be reported if you're not sure.
And a few more that I haven't added to that list yet:
* Include examples (directly from *real output*) of output formats
in comments in your code.
* Aim to include only parameters which are necessary in the parameter
lists in the code; put the rest in the wrapper script, with comments -
see the F-Prot or Kaspersky wrapper scripts for examples.
* Run the scanner in the "C" locale (clear all LC_* environment variables,
and LANG -- or set LANG to "C").
* Please try to comment your code in English - that's what Jules and I
speak, so it's what we need in comments when we're trying to work out
what's going on (I can handle French, or some German, but anything else
is likely not helpful).
* Please indicate in the comments *exactly* which versions of the scanner
in question your code has been tested with, which versions you expect it
to work with, and which versions any example output was generated by.
Err, that's all I can think of at the moment.
Cheers,
Nick
--
Nick Phillips -- nwp at lemon-computing.com
Tomorrow will be cancelled due to lack of interest.
More information about the MailScanner
mailing list