clamav and RAR..(update and feature request)

Julian Field MailScanner at ecs.soton.ac.uk
Mon Mar 7 11:58:18 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Done.

If the unrar command exists and the "unrar command" option is set to
point to it correctly, it will automatically be used by the "clamav"
scanner.

Julian Field wrote:

> Rick Cooper wrote:
>
>>> -----Original Message-----
>>> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
>>> Behalf Of Julian Field
>>> Sent: Monday, March 07, 2005 4:48 AM
>>> To: MAILSCANNER at JISCMAIL.AC.UK
>>> Subject: Re: clamav and RAR..(update and feature request)
>>>
>>>
>>> Yes, it is quite possible for me to extract the path of the unrar
>>> program if it is set. But it will take several commands to do it each
>>> time in the clamav-wrapper. Which is going to be slow. The last thing I
>>> want to do is make the clamav-wrapper self-modifying :-)
>>>
>>> I could set the unrar command path by default in the MailScanner.conf.
>>> Then MailScanner would spit out warnings about not being able to
>>> find it
>>> and they would then have to either install it separately or disable the
>>> setting in MailScanner.conf.
>>>
>>> But I don't like the idea of a setup that warns about things by
>>> default.
>>> It is very untidy. I don't *think* I do this now.
>>>
>>>
>>
>> How about something like:
>>
>> #
>> # Virus scanner definitions table
>> #
>> my $ClamOptions = '-r --disable-summary --stdout';
>> $ClamOptions =
>> '-r --unrar='.MailScanner::Config::Value('unrarcommand').'
>> --disable-summary
>> --stdout'
>> if MailScanner::Config::Value('unrarcommand') && (-e
>> MailScanner::Config::Value('unrarcommand'));
>>
>> then
>>
>>  "clamav"  => {
>>    Name                => 'ClamAV',
>>    Lock                => 'ClamAVBusy.lock',
>>    CommonOptions       => $ClamOptions,
>>    DisinfectOptions    => '',
>>    ScanOptions         => '',
>>    InitParser          => \&InitClamAVParser,
>>    ProcessOutput       => \&ProcessClamAVOutput,
>>    SupportScanning     => $S_SUPPORTED,
>>    SupportDisinfect    => $S_NONE,
>>  },
>>
>> Would this not get the external rar into the clamav wrapper, only if
>> they
>> have declared the path to unrar and the file actually exists?
>>
>>
> Unfortunately the hash is set up at "use" time, before any code is
> executed. So I can't call Config::Value in there.
> I will need to insert in at run-time. Should be fairly easy to do.
>
>> Rick
>>
>>
>>
>>> Martin Hepworth wrote:
>>>
>>>
>>>
>>>> Julian,
>>>>
>>>> Is there anyway of running the ClamAV command-line with the --unrar
>>>> option set correctly if the new UNRAR option is set in
>>>> MailScanner.conf?
>>>>
>>>>
>>>>
>>>> An update for all those running Clam and following the RAR thread.
>>>>
>>>> I caught two RAR viruses over the w/end, Sophos also picked them
>>>> up. But
>>>> I am running clam with the wrapper modified to include the rar support
>>>> for the command line scanner...which may or may not have made a
>>>> difference.
>>>>
>>>> edit /opt/MailScanner/lib/clamav-wrapper and make sure the
>>>> following is
>>>> set..
>>>>
>>>> ScanOptions="--unrar=/usr/local/bin/unrar"
>>>>
>>>> Obviously you'll need to adjust paths where needed
>>>>
>>>> Here's what I caught..
>>>>
>>>> Report: ClamAV: 075466.rar contains Worm.Bagle.BA-RAR
>>>>        SophosSAVI: 075466.rar was infected by Troj/BagleDl-M
>>>>
>>>>
>>>> So make sure you're AV packages can handle RAR types. My ClamAV is
>>>> 0.83
>>>> and my Sophos is 3.91.0.
>>>>
>>>> Right off to try the 4.40.2 Julian put out over the w/end...
>>>>
>>>> --
>>>> Martin Hepworth
>>>> Snr Systems Administrator
>>>> Solid State Logic
>>>> Tel: +44 (0)1865 842300
>>>>
>>>> <br
>>>> />**********************************************************************
>>>>
>>>> <br />
>>>> <br />This email and any files transmitted with it are confidential
>>>> and
>>>> <br />intended solely for the use of the individual or entity to whom
>>>> they
>>>> <br />are addressed. If you have received this email in error please
>>>> notify
>>>> <br />the system manager.
>>>> <br />
>>>> <br />This footnote confirms that this email message has been swept
>>>> <br />for the presence of computer viruses and is believed to be
>>>> clean.
>>>> <br />
>>>> <br
>>>> />**********************************************************************
>>>>
>>>>
>>>> ------------------------ MailScanner list ------------------------
>>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>>> 'leave mailscanner' in the body of the email.
>>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>>
>>>> Support MailScanner development - buy the book off the website!
>>>>
>>>>
>>>>
>>> --
>>> Julian Field
>>> www.MailScanner.info
>>> MailScanner thanks transtec Computers for their support
>>> Buy the MailScanner book at www.MailScanner.info/store
>>>
>>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>>>
>>> ------------------------ MailScanner list ------------------------
>>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>>> 'leave mailscanner' in the body of the email.
>>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>>
>>> Support MailScanner development - buy the book off the website!
>>>
>>> --
>>> This message has been scanned for viruses and
>>> dangerous content by MailScanner, and is
>>> believed to be clean.
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> ------------------------ MailScanner list ------------------------
>> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
>> 'leave mailscanner' in the body of the email.
>> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
>> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>>
>> Support MailScanner development - buy the book off the website!
>>
>>
>>
>
> --
> Julian Field
> www.MailScanner.info
> MailScanner thanks transtec Computers for their support
> Buy the MailScanner book at www.MailScanner.info/store
>
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>

--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
Buy the MailScanner book at www.MailScanner.info/store

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list