nod32 experience

Dalimil Gala konve at LOGOUT.CZ
Thu Nov 20 16:18:18 GMT 2003 

Hello,
have you already fixed the NOD32 1.990 issue? It is working for me with
MailScanner 4.23-11. I just had to remove the --log-brief option from
/opt/MailScanner/lib/MailScanner/SweepViruses.pm
because the output from NOD32 was insufficient for MailScanner's parser.

Several examples follow.

The version of NOD32 first:
---------------------------
linda:/usr/local/nod32# ./nod32 -h
NOD32 for Linux, Version 1.990, (C) 2001-2002 ESET Software

Usage: nod32 [OPTION]... [FILE]...
Scan files for viruses

      --no-pattern       don't use virus signatures while scanning
      --no-heur          don't use heuristics while scanning
      --heursens SENS    set heuristic sensitivity to SENS. can be
                         'low', 'standard', 'deep'

  -z, --arch             enable scanning of archives
      --mail             enable scanning of email messages
      --no-subdir        don't descend to subdirectories

  -a, --all              scan files with any extension
      --ext-add EXT      add listed extensions to the extension list
                         (e.g. --ext-add aaa:bbb:ccc)
      --ext-remove EXT   remove listed extensions from the extension list
                         (e.g. --ext-remove exe:doc:xls)

  -l, --log              create log file (nod32.log by default)
  -f, --log-file FILE    log will be written to FILE
  -w, --log-rewrite      rewrite log file
  -b, --log-brief        only log important info (scanner results)
  -o, --display_ok       list clean files in the log too

  -c, --action ACT       perform action ACT on infected files. can be
                         'none', 'prompt', 'clean', 'delete', 'rename'
  -u, --action-uncl ACT  perform action ACT on uncleanable files. can be
                         'none', 'prompt', 'clean', 'delete', 'rename'

Return values:
    0  everything ok, no viruses found
    1  at least one virus was found
    2  all viruses were cleaned
   10  error occured, no scanning was performed


mail.log where NOD caught the Sobig worm.
----------------------------------------
Nov 20 16:53:37 linda MailScanner[9502]: New Batch: Scanning 1 messages,
102950 bytes
Nov 20 16:53:38 linda MailScanner[9502]: Spam Checks: Starting
Nov 20 16:53:57 linda MailScanner[9502]: Virus and Content Scanning:
Starting
Nov 20 16:54:04 linda MailScanner[9502]: ./hAKFrTmC009504/application.dat -
Win32/Sobig.F worm
Nov 20 16:54:04 linda MailScanner[9502]: Virus Scanning: Nod32 found 1
infections
Nov 20 16:54:04 linda MailScanner[9502]: Virus Scanning: Found 1 viruses
Nov 20 16:54:05 linda MailScanner[9502]: Saved entire message to
/var/spool/MailScanner/quarantine/20031120/hAKFrTmC009504
Nov 20 16:54:07 linda MailScanner[9502]: Saved infected "application.dat" to
/var/spool/MailScanner/quarantine/20031120/hAKFrTmC009504




Output of NOD32 where it is run manually on application.dat
-----------------------------------------------------------
linda:/usr/local/nod32/virus# ../nod32 --arch --all application.dat
NOD32 for Linux, Version 1.990, (C) 2001-2002 ESET Software
Signatures version 1.558 (20031118) from 18-11-2003

Command line: --arch --all
Scanning started on 10-20-2003, 17:08:52

application.dat - Win32/Sobig.F worm

Scanning finished at 17:08:52, total time: 0 sec (0:00:00)
Total files:    1
Infected files: 1
Cleaned files:  0
Active files:   0




I also put "print" debug line into SweepViruses.pm to see the output:
  MailScanner::Log::WarnLog($logout) if $line =~ /error/i;
  print TMP $line,"\n";
  if (!$NOD32Version && $NOD32InHeading && /^NOD32.*Version.*([\d.]+)/) {


First with the -o option
---------------------------------------

NOD32 for Linux, Version 1.990, (C) 2001-2002 ESET Software
Signatures version 1.558 (20031118) from 18-11-2003

Command line: -o --all --arch --all
Scanning started on 10-20-2003, 16:54:04

./hAKFrTmC009504.header - is OK
./hAKFrTmC009504/msg-9502-1.txt - is OK
./hAKFrTmC009504/application.dat - Win32/Sobig.F worm

Scanning finished at 16:54:04, total time: 0 sec (0:00:00)
Total files:    3
Infected files: 1
Cleaned files:  0
Active files:   0


And without the -o option:
--------------------------

NOD32 for Linux, Version 1.990, (C) 2001-2002 ESET Software
Signatures version 1.558 (20031118) from 18-11-2003

Command line: --arch --all
Scanning started on 10-20-2003, 17:05:27

./hAKG4pmC009566/application.dat - Win32/Sobig.F worm

Scanning finished at 17:05:27, total time: 0 sec (0:00:00)
Total files:    3
Infected files: 1
Cleaned files:  0
Active files:   0

===========================

That's all. Hope it might help you somehow.

Dalimil Gala

More information about the MailScanner mailing list