clamav and RAR..(update and feature request)

Julian Field MailScanner at ecs.soton.ac.uk
Mon Mar 7 11:48:19 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Rick Cooper wrote:

>>-----Original Message-----
>>From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>Behalf Of Julian Field
>>Sent: Monday, March 07, 2005 4:48 AM
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: clamav and RAR..(update and feature request)
>>
>>
>>Yes, it is quite possible for me to extract the path of the unrar
>>program if it is set. But it will take several commands to do it each
>>time in the clamav-wrapper. Which is going to be slow. The last thing I
>>want to do is make the clamav-wrapper self-modifying :-)
>>
>>I could set the unrar command path by default in the MailScanner.conf.
>>Then MailScanner would spit out warnings about not being able to find it
>>and they would then have to either install it separately or disable the
>>setting in MailScanner.conf.
>>
>>But I don't like the idea of a setup that warns about things by default.
>>It is very untidy. I don't *think* I do this now.
>>
>>
>
>How about something like:
>
>#
># Virus scanner definitions table
>#
>my $ClamOptions = '-r --disable-summary --stdout';
>$ClamOptions =
>'-r --unrar='.MailScanner::Config::Value('unrarcommand').' --disable-summary
> --stdout'
> if MailScanner::Config::Value('unrarcommand') && (-e
>MailScanner::Config::Value('unrarcommand'));
>
>then
>
>  "clamav"  => {
>    Name                => 'ClamAV',
>    Lock                => 'ClamAVBusy.lock',
>    CommonOptions       => $ClamOptions,
>    DisinfectOptions    => '',
>    ScanOptions         => '',
>    InitParser          => \&InitClamAVParser,
>    ProcessOutput       => \&ProcessClamAVOutput,
>    SupportScanning     => $S_SUPPORTED,
>    SupportDisinfect    => $S_NONE,
>  },
>
>Would this not get the external rar into the clamav wrapper, only if they
>have declared the path to unrar and the file actually exists?
>
>
Unfortunately the hash is set up at "use" time, before any code is
executed. So I can't call Config::Value in there.
I will need to insert in at run-time. Should be fairly easy to do.

>Rick
>
>
>
>>Martin Hepworth wrote:
>>
>>
>>
>>>Julian,
>>>
>>>Is there anyway of running the ClamAV command-line with the --unrar
>>>option set correctly if the new UNRAR option is set in MailScanner.conf?
>>>
>>>
>>>
>>>An update for all those running Clam and following the RAR thread.
>>>
>>>I caught two RAR viruses over the w/end, Sophos also picked them up. But
>>>I am running clam with the wrapper modified to include the rar support
>>>for the command line scanner...which may or may not have made a
>>>difference.
>>>
>>>edit /opt/MailScanner/lib/clamav-wrapper and make sure the following is
>>>set..
>>>
>>>ScanOptions="--unrar=/usr/local/bin/unrar"
>>>
>>>Obviously you'll need to adjust paths where needed
>>>
>>>Here's what I caught..
>>>
>>>Report: ClamAV: 075466.rar contains Worm.Bagle.BA-RAR
>>>        SophosSAVI: 075466.rar was infected by Troj/BagleDl-M
>>>
>>>
>>>So make sure you're AV packages can handle RAR types. My ClamAV is 0.83
>>>and my Sophos is 3.91.0.
>>>
>>>Right off to try the 4.40.2 Julian put out over the w/end...
>>>
>>>--
>>>Martin Hepworth
>>>Snr Systems Administrator
>>>Solid State Logic
>>>Tel: +44 (0)1865 842300
>>>
>>><br
>>>/>**********************************************************************
>>><br />
>>><br />This email and any files transmitted with it are confidential and
>>><br />intended solely for the use of the individual or entity to whom
>>>they
>>><br />are addressed. If you have received this email in error please
>>>notify
>>><br />the system manager.
>>><br />
>>><br />This footnote confirms that this email message has been swept
>>><br />for the presence of computer viruses and is believed to be clean.
>>><br />
>>><br
>>>/>**********************************************************************
>>>
>>>------------------------ MailScanner list ------------------------
>>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>'leave mailscanner' in the body of the email.
>>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>>Support MailScanner development - buy the book off the website!
>>>
>>>
>>>
>>--
>>Julian Field
>>www.MailScanner.info
>>MailScanner thanks transtec Computers for their support
>>Buy the MailScanner book at www.MailScanner.info/store
>>
>>PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>
>>------------------------ MailScanner list ------------------------
>>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>'leave mailscanner' in the body of the email.
>>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>>Support MailScanner development - buy the book off the website!
>>
>>--
>>This message has been scanned for viruses and
>>dangerous content by MailScanner, and is
>>believed to be clean.
>>
>>
>>
>>
>>
>
>
>--
>This message has been scanned for viruses and
>dangerous content by MailScanner, and is
>believed to be clean.
>
>------------------------ MailScanner list ------------------------
>To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>'leave mailscanner' in the body of the email.
>Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
>Support MailScanner development - buy the book off the website!
>
>
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list