Fwd: Re: Writing support for new scanners
mailscanner at ecs.soton.ac.uk
Mon Jun 17 20:41:47 IST 2002
>X-Mailer: Novell GroupWise Internet Agent 6.0
>Date: Mon, 17 Jun 2002 08:56:08 -0700
>Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>Sender: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>From: Francois Caen <FCaen at CI.LAKEWOOD.WA.US>
>Subject: Re: Writing support for new scanners
>To: MAILSCANNER at JISCMAIL.AC.UK
>X-ECS-MailScanner: Found to be clean
>X-MIME-Autoconverted: from quoted-printable to 8bit by
>roadrunner.ecs.soton.ac.uk id g5HFwq9M005419
>Since the question "how do I add support for anti-virus XYZ?" comes back
>so often and you took the time to write those instructions, maybe Julian
>should add them to the Mailscanner site?
>Network Information Systems Engineer - Webmaster
>City of Lakewood, WA
>From: nwp at LEMON-COMPUTING.COM
>Sent: Saturday, June 15, 2002 3:34 AM
>To: <MAILSCANNER at JISCMAIL.AC.UK>
>Subject: [MAILSCANNER] Writing support for new scanners
>On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote:
> > I will try to figure out how to add support for this scanner in
> > weeks to come.
>Well, feel free. Here are some guidelines that I've been working on for
>you and any other prospective scanner-support-writers out there...
>* Tips for writing scanner support:
> * "print STDERR $line" is your friend.
> * Always parse *every* line of output from the scanner, and
> die if you don't understand it.
> * Be *extremely* anal when writing regexps, especially with
> quantities of whitespace.
> * Only use wildcards to match the filename part of the output,
> *never* to match whitespace or boilerplate text (think about
> what might happen if the filename has a trailing <space> character).
> * At least one scanner prints "<cr><space>...<space><cr>"
> before outputting its results -- be *sure* what the scanner's
> output format really is.
> * Be sure that you know how your scanner reports infections
> within archives; they can easily be mis-parsed.
> * Use comments to document any oddities that could confuse
> your parser; that way we might be able to ensure that they
> don't happen in future.
> * Use comments to document the output format you are expecting
> from the scanner so that when it changes, debugging is quicker.
> * Watch out for scanners reporting different categories of Bad
> Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
> is a good idea to run "strings" over a core dump from the scanner
> to get clues as to what may be reported if you're not sure.
>And a few more that I haven't added to that list yet:
> * Include examples (directly from *real output*) of output formats
> in comments in your code.
> * Aim to include only parameters which are necessary in the parameter
> lists in the code; put the rest in the wrapper script, with comments -
> see the F-Prot or Kaspersky wrapper scripts for examples.
> * Run the scanner in the "C" locale (clear all LC_* environment variables,
> and LANG -- or set LANG to "C").
> * Please try to comment your code in English - that's what Jules and I
> speak, so it's what we need in comments when we're trying to work out
> what's going on (I can handle French, or some German, but anything else
> is likely not helpful).
> * Please indicate in the comments *exactly* which versions of the scanner
> in question your code has been tested with, which versions you expect it
> to work with, and which versions any example output was generated by.
>Err, that's all I can think of at the moment.
>Nick Phillips -- nwp at lemon-computing.com
>Tomorrow will be cancelled due to lack of interest.
Julian Field Teaching Systems Manager
jkf at ecs.soton.ac.uk Dept. of Electronics & Computer Science
Tel. 023 8059 2817 University of Southampton
Southampton SO17 1BJ
More information about the MailScanner