Writing support for new scanners

Francois Caen FCaen at CI.LAKEWOOD.WA.US
Mon Jun 17 16:56:08 IST 2002

Since the question "how do I add support for anti-virus XYZ?" comes back so often and you took the time to write those instructions, maybe Julian should add them to the Mailscanner site?

Francois Caen
Network Information Systems Engineer - Webmaster
City of Lakewood, WA
(253) 512-2269 
-----Original Message-----
Sent: Saturday, June 15, 2002 3:34 AM
Subject: [MAILSCANNER] Writing support for new scanners

On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote: 
> I will try to figure out how to add support for this scanner in 
> weeks to come. 
Well, feel free. Here are some guidelines that I've been working on for 
you and any other prospective scanner-support-writers out there... 

* Tips for writing scanner support: 
  * "print STDERR $line" is your friend. 
  * Always parse *every* line of output from the scanner, and 
    die if you don't understand it. 
  * Be *extremely* anal when writing regexps, especially with 
    quantities of whitespace. 
  * Only use wildcards to match the filename part of the output, 
    *never* to match whitespace or boilerplate text (think about 
    what might happen if the filename has a trailing <space> character). 
  * At least one scanner prints "<cr><space>...<space><cr>" 
    before outputting its results -- be *sure* what the scanner's 
    output format really is. 
  * Be sure that you know how your scanner reports infections 
    within archives; they can easily be mis-parsed. 
  * Use comments to document any oddities that could confuse 
    your parser; that way we might be able to ensure that they 
    don't happen in future. 
  * Use comments to document the output format you are expecting 
    from the scanner so that when it changes, debugging is quicker. 
  * Watch out for scanners reporting different categories of Bad 
    Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it 
    is a good idea to run "strings" over a core dump from the scanner 
    to get clues as to what may be reported if you're not sure. 

And a few more that I haven't added to that list yet: 
  * Include examples (directly from *real output*) of output formats 
    in comments in your code. 
  * Aim to include only parameters which are necessary in the parameter 
    lists in the code; put the rest in the wrapper script, with comments - 
    see the F-Prot or Kaspersky wrapper scripts for examples. 
  * Run the scanner in the "C" locale (clear all LC_* environment variables, 
    and LANG -- or set LANG to "C"). 
  * Please try to comment your code in English - that's what Jules and I 
    speak, so it's what we need in comments when we're trying to work out 
    what's going on (I can handle French, or some German, but anything else 
    is likely not helpful). 
  * Please indicate in the comments *exactly* which versions of the scanner 
    in question your code has been tested with, which versions you expect it 
    to work with, and which versions any example output was generated by. 

Err, that's all I can think of at the moment. 


Nick Phillips -- nwp at lemon-computing.com 
Tomorrow will be cancelled due to lack of interest. 

More information about the MailScanner mailing list