f-secure 4.52
Wanderson Berbert
wberbert at SERMAP.COM.BR
Tue Feb 10 17:59:55 GMT 2004
I found in /usr/share/mailscanner/sweep.pl, something interesting
sub ProcessFSecureOutput {
my($line, $infections, $types, $BaseDir) = @_;
#my($line) = @_;
my($report, $infected, $dot, $id, $part, @rest);
chomp $line;
# Lose cruft
return 0 if $fsecure_InCruft > 0;
if ($line eq "") {
$fsecure_InCruft += 1;
return 0;
}
$fsecure_InCruft == 0 or return 0;
# Prefer s/// to m// as less likely to do unpredictable things.
# We hope.
if ($line =~ /\tinfection:\s/) {
$report = $line;
# Get to relevant filename in a reasonably but not
# totally robust manner (*impossible* to be totally robust
# if we have square brackets and spaces in filenames)
# Strip archive bits if present
$line =~ s/^\[(.*?)\] .+(\tinfection:.*)/$1$2/;
# Get to the meat or die trying...
$line =~ s/\tinfection:[^:]*$//
or Log::DieLog("Dodgy things going on in F-Secure
output:\n$report\n");
($dot,$id,$part, at rest) = split(/\//, $line);
$infections->{"$id"}{"$part"} .= $report . "\n";
$types->{"$id"}{"$part"} .= "v"; # so we know what to tell sender
return 1;
}
Log::DieLog("Either you've found a bug in MailScanner's F-Secure\noutput
parse
r, or F-Secure's output format has changed!\nPlease mail the author of
MailScann
er!\n");
}
When I invoke /etc/mailscanner/wrapper/f-
securewrapper /var/spool/mailscanner/incoming/
the output is:
F-Secure Anti-Virus for Linux version 4.52 build 2461
Copyright (c) 1999-2003 F-Secure Corporation. All Rights Reserved.
EVALUATION VERSION - FULLY FUNCTIONAL - FREE TO USE FOR 30 DAYS.
To purchase license, please check http://www.F-Secure.com/purchase/
Database version: 2004-02-09_04^M
Scan started at Tue Feb 10 15:58:10 2004
/var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected:
W32/Mydoom.A
@mm [Orion]
/var/spool/mailscanner/incoming/1Aqc4E-0002LO-00/doc.scr: Infected: I-
Worm.Mydoo
m.a [AVP]
[/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm
.exe:
Infected
: W32/Mydoom.A at mm [Orion]
[/var/spool/mailscanner/incoming/1Aqc4w-00044D-00/document.zip] document.htm
.exe:
Infected
: I-Worm.Mydoom.a [AVP]
[/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm
.exe: Infected:
W32/My
doom.A at mm [Orion]
[/var/spool/mailscanner/incoming/1Aqc79-00075p-00/body.zip] body.htm
.exe: Infected: I-
Worm
.Mydoom.a [AVP]
/var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected:
W32/Mydo
om.A at mm [Orion]
/var/spool/mailscanner/incoming/1Aqc87-0007bI-00/message.pif: Infected: I-
Worm.M
ydoom.a [AVP]
Scan ended at Tue Feb 10 15:58:13 2004
18 files scanned
4 files infected
More information about the MailScanner
mailing list