clamav support for mailscanner (patch)

Adrian Bridgett adrian at SMOP.CO.UK
Mon Sep 23 23:12:35 IST 2002 

Here's mark II, new and improved (i.e. it works and has actually been tested
now).

Tested only lightly, so not for submission yet, OTOH if anyone goes a
hunting for this then the mailing list is a good place to start so that's
why I'm posting it :-)

As proof, here's a sample log (with debug added which is gone from the patch
attached)

(lines not wrapped)
Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: foo.zip = "contains ClamAV-Test-Signature in test1 (possibly others)"
Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: test1 = "contains ClamAV-Test-Signature"
Sep 23 22:31:49 localhost mailscanner[22000]: clamav for 17tanp-0005iw-00 :: test2.zip = "contains ClamAV-Test-Signature in clamtest (possibly others)"
Sep 23 22:31:49 localhost mailscanner[22000]: Found 3 viruses in messages 17tanp-0005iw-00

And ... (the possibly others remark is because clamscan stops as soon as it
finds a virus).

The following e-mail messages were found to have viruses in them:

   Sender: <adrian at smop.co.uk>
   Recipient: adrian at localhost
   Subject: v10
   MessageID: 17tbNx-0005pQ-00
   Report: test1 contains ClamAV-Test-Signature
   Report: foo.zip contains ClamAV-Test-Signature in test1 (possibly others)
   Report: test2.zip contains ClamAV-Test-Signature in clamtest (possibly others)

Adrian

Email: adrian at smop.co.uk
Windows NT - Unix in beta-testing. GPG/PGP keys available on public key servers
Debian GNU/Linux  -*-  By professionals for professionals  -*-  www.debian.org
-------------- next part --------------
diff -ru 3.22.orig/etc/mailscanner/mailscanner.conf 3.22/etc/mailscanner/mailscanner.conf
--- 3.22.orig/etc/mailscanner/mailscanner.conf  2002-09-11 23:51:48.000000000 +0100
+++ 3.22/etc/mailscanner/mailscanner.conf       2002-09-18 22:22:37.000000000 +0100
@@ -119,6 +119,7 @@
 # panda     from www.pandasoftware.com, or
 # rav       from www.ravantivirus.com, or
 # antivir   from www.antivir.de, or
+# clamav    from clamav.elektrapro.com or
 # none
 #
 # Note: If you want to use multiple virus scanners, then this should be a
diff -uN /tmp/apb/3.22-orig/etc/mailscanner/wrapper/clamavwrapper etc/mailscanner/wrapper/clamavwrapper
--- 3.22.orig/etc/mailscanner/wrapper/clamavwrapper     1970-01-01 01:00:00.000000000 +0100
+++ 3.22/etc/mailscanner/wrapper/clamavwrapper  2002-09-18 22:11:12.000000000 +0100
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+# clamavtwrapper --    invoke ClamAV for use with mailscanner
+#
+# nwp, 14/12/01
+#
+#   MailScanner - SMTP E-Mail Virus Scanner
+#   Copyright (C) 2001  Julian Field
+#
+#   $Id: f-protwrapper,v 1.3 2002/01/10 10:09:55 jkf Exp $
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2 of the License, or
+#   (at your option) any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software
+#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+#
+#   The author, Julian Field, can be contacted by email at
+#      Jules at JulianField.net
+#   or by paper mail at
+#      Julian Field
+#      Dept of Electronics & Computer Science
+#      University of Southampton
+#      Southampton
+#      SO17 1BJ
+#      United Kingdom
+#
+#
+
+
+# You may want to check this script for bash-isms
+
+PackageDir=/usr/local/f-prot           # This may vary depending on your OS
+Scanner=f-prot
+
+ScanOptions=""
+ScanOptions="$ScanOptions --unzip"             # unzip archives too
+
+exec /usr/bin/clamscan $ScanOptions "$@"
+
diff -ru 3.22.orig/usr/share/mailscanner/sweep.pl 3.22/usr/share/mailscanner/sweep.pl
--- 3.22-orig/usr/share/mailscanner/sweep.pl    2002-09-10 09:01:02.000000000 +0100
+++ 3.22/usr/share/mailscanner/sweep.pl 2002-09-23 22:54:05.000000000 +0100
@@ -173,6 +173,16 @@
     SupportScanning    => $S_UNSUPPORTED,
     SupportDisinfect   => $S_UNSUPPORTED,
   },
+  "clamav"  => {
+    Lock              => 'ClamAV.lock',
+    CommonOptions     => '-r --disable-summary --stdout',
+    DisinfectOptions  => '',
+    ScanOptions       => '',
+    InitParser        => \&InitClamAVParser,
+    ProcessOutput     => \&ProcessClamAVOutput,
+    SupportScanning   => $S_BETA,
+    SupportDisinfect  => $S_NONE,
+  },
   "none"               => {
     Lock               => 'NoneBusy.lock',
     CommonOptions      => '',
@@ -507,6 +517,13 @@
   ;
 }

+# Initialise any state variables the ClamAV output parser uses
+my ($clamav_archive);
+sub InitClamAVParser {
+  $clamav_archive = "";
+}
+
+
 # These functions must be called with, in order:
 # * The line of output from the scanner
 # * A reference to the hash containing problem details
@@ -1022,6 +1039,66 @@
   return 0;
 }

+# Process ClamAV (v0.22) output
+sub ProcessClamAVOutput {
+  my($line, $infections, $types, $BaseDir) = @_;
+
+  if ($line =~ /^ERROR:/ or $line =~ /^execv\(p\):/)
+  {
+    chomp $line;
+    Log::WarnLog($line);
+    return 0;
+  }
+
+  # clamscan currently stops as soon as one virus is found
+  # therefore there is little point saying which part
+  # it's still a start mind!
+
+  # Only tested with --unzip since only windows boxes get viruses ;-)
+
+  if (/^Archive:  (.*)$/)
+  {
+    $clamav_archive = $1;
+    return 0;
+  }
+  return 0 if /^  /;  # "  inflating", "  deflating.." from --unzip
+  if ($clamav_archive && /^$clamav_archive:/)
+  {
+    $clamav_archive = "";
+    return 0;
+  }
+
+  return 0 if /OK$/;
+
+  if (/^(.*?): (.*) FOUND$/)
+  {
+     my ($file, $subfile, $virus, $report);
+     $virus = $2;
+     if ($clamav_archive)
+     {
+        $file = $clamav_archive;
+       ($subfile = $1) =~ s/^.*\///;  # get basename of file
+       $report = "in $subfile (possibly others)";
+     }
+     else
+     {
+        $file = $1;
+     }
+
+     $file =~ s/^(.\/)?$BaseDir\/?//;
+     $file =~ s/^\.\///;
+     my ($id,$part) = split /\//, $file, 2;
+
+    $infections->{"$id"}{"$part"} .= "$part contains $virus $report\n";
+    $types->{"$id"}{"$part"} .= "v";
+    return 1;
+  }
+
+  chomp $line;
+  Log::WarnLog("ProcessClamAVOutput: unrecognised line \"$line\"\n");
+  return 0;
+}
+

 sub CallOwnChecking {
   my($BaseDir, $mime, $infections, $inftypes) = @_;

More information about the MailScanner mailing list