clamav and RAR..(update and feature request)

Rick Cooper rcooper at DWFORD.COM
Mon Mar 7 11:21:51 GMT 2005


    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Julian Field
> Sent: Monday, March 07, 2005 4:48 AM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: clamav and RAR..(update and feature request)
>
>
> Yes, it is quite possible for me to extract the path of the unrar
> program if it is set. But it will take several commands to do it each
> time in the clamav-wrapper. Which is going to be slow. The last thing I
> want to do is make the clamav-wrapper self-modifying :-)
>
> I could set the unrar command path by default in the MailScanner.conf.
> Then MailScanner would spit out warnings about not being able to find it
> and they would then have to either install it separately or disable the
> setting in MailScanner.conf.
>
> But I don't like the idea of a setup that warns about things by default.
> It is very untidy. I don't *think* I do this now.

How about something like:

#
# Virus scanner definitions table
#
my $ClamOptions = '-r --disable-summary --stdout';
$ClamOptions =
'-r --unrar='.MailScanner::Config::Value('unrarcommand').' --disable-summary
 --stdout'
 if MailScanner::Config::Value('unrarcommand') && (-e
MailScanner::Config::Value('unrarcommand'));

then

  "clamav"  => {
    Name                => 'ClamAV',
    Lock                => 'ClamAVBusy.lock',
    CommonOptions       => $ClamOptions,
    DisinfectOptions    => '',
    ScanOptions         => '',
    InitParser          => \&InitClamAVParser,
    ProcessOutput       => \&ProcessClamAVOutput,
    SupportScanning     => $S_SUPPORTED,
    SupportDisinfect    => $S_NONE,
  },

Would this not get the external rar into the clamav wrapper, only if they
have declared the path to unrar and the file actually exists?

Rick

>
> Martin Hepworth wrote:
>
> > Julian,
> >
> > Is there anyway of running the ClamAV command-line with the --unrar
> > option set correctly if the new UNRAR option is set in MailScanner.conf?
> >
> >
> >
> > An update for all those running Clam and following the RAR thread.
> >
> > I caught two RAR viruses over the w/end, Sophos also picked them up. But
> > I am running clam with the wrapper modified to include the rar support
> > for the command line scanner...which may or may not have made a
> > difference.
> >
> > edit /opt/MailScanner/lib/clamav-wrapper and make sure the following is
> > set..
> >
> > ScanOptions="--unrar=/usr/local/bin/unrar"
> >
> > Obviously you'll need to adjust paths where needed
> >
> > Here's what I caught..
> >
> > Report: ClamAV: 075466.rar contains Worm.Bagle.BA-RAR
> >         SophosSAVI: 075466.rar was infected by Troj/BagleDl-M
> >
> >
> > So make sure you're AV packages can handle RAR types. My ClamAV is 0.83
> > and my Sophos is 3.91.0.
> >
> > Right off to try the 4.40.2 Julian put out over the w/end...
> >
> > --
> > Martin Hepworth
> > Snr Systems Administrator
> > Solid State Logic
> > Tel: +44 (0)1865 842300
> >
> > <br
> > />**********************************************************************
> > <br />
> > <br />This email and any files transmitted with it are confidential and
> > <br />intended solely for the use of the individual or entity to whom
> > they
> > <br />are addressed. If you have received this email in error please
> > notify
> > <br />the system manager.
> > <br />
> > <br />This footnote confirms that this email message has been swept
> > <br />for the presence of computer viruses and is believed to be clean.
> > <br />
> > <br
> > />**********************************************************************
> >
> > ------------------------ MailScanner list ------------------------
> > To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> > 'leave mailscanner' in the body of the email.
> > Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> > the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
> >
> > Support MailScanner development - buy the book off the website!
> >
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list