Fwd: Re: Writing support for new scanners

Julian Field mailscanner at ecs.soton.ac.uk
Mon Jun 17 20:41:47 IST 2002

>X-Mailer: Novell GroupWise Internet Agent 6.0
>Date:         Mon, 17 Jun 2002 08:56:08 -0700
>Reply-To: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>Sender: MailScanner mailing list <MAILSCANNER at JISCMAIL.AC.UK>
>From: Francois Caen <FCaen at CI.LAKEWOOD.WA.US>
>Subject:      Re: Writing support for new scanners
>X-ECS-MailScanner: Found to be clean
>X-MIME-Autoconverted: from quoted-printable to 8bit by 
>roadrunner.ecs.soton.ac.uk id g5HFwq9M005419
>Since the question "how do I add support for anti-virus XYZ?" comes back 
>so often and you took the time to write those instructions, maybe Julian 
>should add them to the Mailscanner site?
>Francois Caen
>Network Information Systems Engineer - Webmaster
>City of Lakewood, WA
>(253) 512-2269
>-----Original Message-----
>Sent: Saturday, June 15, 2002 3:34 AM
>Subject: [MAILSCANNER] Writing support for new scanners
>On Sat, Jun 15, 2002 at 10:48:02AM +0200, Stephane Lentz wrote:
> > I will try to figure out how to add support for this scanner in
> > weeks to come.
>Well, feel free. Here are some guidelines that I've been working on for
>you and any other prospective scanner-support-writers out there...
>* Tips for writing scanner support:
>   * "print STDERR $line" is your friend.
>   * Always parse *every* line of output from the scanner, and
>     die if you don't understand it.
>   * Be *extremely* anal when writing regexps, especially with
>     quantities of whitespace.
>   * Only use wildcards to match the filename part of the output,
>     *never* to match whitespace or boilerplate text (think about
>     what might happen if the filename has a trailing <space> character).
>   * At least one scanner prints "<cr><space>...<space><cr>"
>     before outputting its results -- be *sure* what the scanner's
>     output format really is.
>   * Be sure that you know how your scanner reports infections
>     within archives; they can easily be mis-parsed.
>   * Use comments to document any oddities that could confuse
>     your parser; that way we might be able to ensure that they
>     don't happen in future.
>   * Use comments to document the output format you are expecting
>     from the scanner so that when it changes, debugging is quicker.
>   * Watch out for scanners reporting different categories of Bad
>     Thing - e.g. "Joke Program", "Trojan", "Virus", "Worm"... it
>     is a good idea to run "strings" over a core dump from the scanner
>     to get clues as to what may be reported if you're not sure.
>And a few more that I haven't added to that list yet:
>   * Include examples (directly from *real output*) of output formats
>     in comments in your code.
>   * Aim to include only parameters which are necessary in the parameter
>     lists in the code; put the rest in the wrapper script, with comments -
>     see the F-Prot or Kaspersky wrapper scripts for examples.
>   * Run the scanner in the "C" locale (clear all LC_* environment variables,
>     and LANG -- or set LANG to "C").
>   * Please try to comment your code in English - that's what Jules and I
>     speak, so it's what we need in comments when we're trying to work out
>     what's going on (I can handle French, or some German, but anything else
>     is likely not helpful).
>   * Please indicate in the comments *exactly* which versions of the scanner
>     in question your code has been tested with, which versions you expect it
>     to work with, and which versions any example output was generated by.
>Err, that's all I can think of at the moment.
>Nick Phillips -- nwp at lemon-computing.com
>Tomorrow will be cancelled due to lack of interest.

Julian Field                Teaching Systems Manager
jkf at ecs.soton.ac.uk         Dept. of Electronics & Computer Science
Tel. 023 8059 2817          University of Southampton
                             Southampton SO17 1BJ

More information about the MailScanner mailing list