Panda not working

Rick Cooper rcooper at DWFORD.COM
Mon May 9 20:12:16 IST 2005


    [ The following text is in the "Windows-1252" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Steen, Glenn
> Sent: Monday, May 09, 2005 1:01 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: SV: Panda not working
>
>
> Yes, well.... There is where you (unfortunately) may start to stumble...
> See, the original wrapper does a pretty decent job of sanitizing
> the output, but... It assumes that the output is as seen on an
> xterm/vt-whatever when executing "inside MS". This isn't the case.
> So then the original author "falls back" on invoking pavcl
> once/file... and still it'll mess up from time to time. Set your
> TERM to "dumb" (or unset it), then call it as is done in MS on a
> directory that may contain several subdirectories (both clean and
> unclean files) and you'll likely see the same mess I found... Of
> course, I'd be rather happy if it did work for you, since that
> would point at some peculiarity in my system, but.... I won't
> hold my breath:-).

This may be true, haven't tested that. But haven't experienced an issue with
it either, then again I have only been testing for a couple hours. If that
is a problem I would think changing

        my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
to

my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 > /tmp/FileNameBasedOnPid
";

and parsing the /tmp file rather than the pipe it's self should solve that.
Wouldn't allow the terminal to alter the output.

As far as multiple, nested directories. Julian may have to correct me, but
there shouldn't be any nested directories. All the files should be extracted
into a single directory with the SafeName function handling duplicate as
well as possibly dangerous file names so the -cmp switch shouldn't really be
used at all (unless I am mistaken). IIRC the unpacking is done in this
manner to remove the chance of archived directory structures spilling out
where they don't belong.

>
> I'll be glad to share my "improved" wrapper scripts if you'd like
> to have a go with them, but... I'd recommend against wasting to
> much (more) time on it. Drop a line and I'll forward them
> tomorrow (horrible hacks that they are:-).
>
> Best would be for them to produce sane output.

using ANSI for output is ignorant at best... like trying to step back to the
DOS days and having a cool/pretty display. But I ran the standard wrapper
and found it didn't recognize viruses because of a rather simple thing to
fix. It would appear that panda swapped the words around on their "Virus
found" string and removed a space between the ":" and virus name string.

The patch below (for panda-wrapper) appears to take care of the problem
related to not finding the virus as it will trigger on either version of the
found string and name string. (assuming a need for backward compatibility)

--- panda-wrapper       Mon May  9 13:53:18 2005
+++ panda-wrapper.new   Mon May  9 13:53:38 2005
@@ -76,9 +76,9 @@

 sub busca_virus {

        my $archivo = $_[0];
-
+#    print STDERR "Checking $archivo\n";
        my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
 #      print TEMP $comando."\n\n";

        open SALIDA, "$comando |";
@@ -89,10 +89,11 @@
                s/(\^O|\r)//g;

 #              print TEMP $_;

-               if (/(Found virus|Encontrado virus)\s*:\s*((\w|\-|\_|\/)+)/)
{
+               if (m/(found virus|virus encontrado|encontrado virus|virus
found)\s+:\s?(.*?)$/i) {
                #if (/Encontrado virus:\s+((\w|\-|\_|\/)+)/) {
+#                      print STDERR "Found $2\n";
                        close SALIDA;
                        #return $1;
                        return $2;
                }



Also, if you want a cleaner log and a report that has the name of the
infected file apply this patch to SweepViruses (version 4.42.1)

--- SweepViruses.pm     Mon May  9 13:45:25 2005
+++ SweepViruses.pm.new Mon May  9 13:45:52 2005
@@ -2141,25 +2141,24 @@

   $logout = $line;
   $logout =~ s/%/%%/g;
   $logout =~ s/\s{20,}/ /g;
+  MailScanner::Log::InfoLog($logout);
+
    # EXAMPLE OUTPUT PLEASE? -- nwp 6/5/02
   # Virus: 2##Base: /var/spool/MailScanner/incoming/24408##1:
'h3MENF6X020229/eicar.com' => EICAR-AV-TEST-FILE##2:
'h3MENF6X020229/eicar.zip' => EICAR-AV-TEST-FILE##
   # Now you wish you never asked :-)

   $line =~ /Base: (.*?)##/;
   $BaseDir =~ $1;
   $numviruses = 0;
   my $temp = $line;
-  #2##Base: /var/spool/mailscanner/incoming/23386##1:
'1DVCx0-00067f-M4/eicar.com' => EICAR-AV-TEST-FILE  ##2:
'1DVCx0-00067f-M4/eicar_com.zip' => EICAR-AV-TEST-FILE  ##
   while ( $temp =~ /\d+: \'(.*?)\/(.*?)\' => (.*?)##/ )
   {
         $id = $1;
         $part = $2;
         $report = $3;
-        $report = $Name . ": " . $report." found in $part" if $Name;
-               $report =~ s/\s{2,}/ /g;
-               MailScanner::Log::InfoLog("%s",$report);
+        $report = $Name . ': ' . $report if $Name;
         $infections->{$id}{$part} .= "$report\n";
         $types->{$id}{$part} .= "v"; # it's a real virus
         $numviruses++;
         $temp = $';

and your log will display:

May  9 13:39:26 srv2 MailScanner[24135]: Panda: EICAR-AV-TEST-FILE   found
in eicar.com
May  9 13:39:27 srv2 MailScanner[24135]: Panda: EICAR-AV-TEST-FILE   found
in eicar_com.zip
May  9 13:39:27 srv2 MailScanner[24135]: Virus Scanning: Panda found 2
infections

and reports will look like:

   Panda: EICAR-AV-TEST-FILE found in eicar.com

Hope it helps someone,


Rick


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list