Panda not working
Steen, Glenn
Glenn.Steen at AP1.SE
Tue May 10 10:49:32 IST 2005
> -----Original Message-----
> From: MailScanner mailing list
> [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Rick Cooper
> Sent: den 9 maj 2005 21:12
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: Re: Panda not working
>
>
> > -----Original Message-----
> > From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> > Behalf Of Steen, Glenn
> > Sent: Monday, May 09, 2005 1:01 PM
> > To: MAILSCANNER at JISCMAIL.AC.UK
> > Subject: SV: Panda not working
> >
> >
> > Yes, well.... There is where you (unfortunately) may start
> to stumble...
> > See, the original wrapper does a pretty decent job of sanitizing
> > the output, but... It assumes that the output is as seen on an
> > xterm/vt-whatever when executing "inside MS". This isn't the case.
> > So then the original author "falls back" on invoking pavcl
> > once/file... and still it'll mess up from time to time. Set your
> > TERM to "dumb" (or unset it), then call it as is done in MS on a
> > directory that may contain several subdirectories (both clean and
> > unclean files) and you'll likely see the same mess I found... Of
> > course, I'd be rather happy if it did work for you, since that
> > would point at some peculiarity in my system, but.... I won't
> > hold my breath:-).
>
> This may be true, haven't tested that. But haven't
> experienced an issue with
> it either, then again I have only been testing for a couple
> hours.
Weeks of testing in my case;).
> If that
> is a problem I would think changing
>
> my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
> to
>
> my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 >
> /tmp/FileNameBasedOnPid
> ";
>
> and parsing the /tmp file rather than the pipe it's self
> should solve that.
> Wouldn't allow the terminal to alter the output.
The problem isn't with the terminal, it is with ncurses and
pavcl/thewrappers reliance on it.
>
> As far as multiple, nested directories. Julian may have to
> correct me, but
> there shouldn't be any nested directories. All the files
> should be extracted
> into a single directory with the SafeName function handling
> duplicate as
> well as possibly dangerous file names so the -cmp switch
> shouldn't really be
> used at all (unless I am mistaken). IIRC the unpacking is done in this
> manner to remove the chance of archived directory structures
> spilling out
> where they don't belong.
Well, the wrappers get called in the batch directory
(/var/spool/MailScanner/incoming/<pid>) as "wrapper path . args", so
if you have more than one message in the batch, you'll scan more than
one directory at a time (it might also get called on ./<ID>, which the
current wrapper script will blithely ignore, but that is just one
little problem with it... Killing resources by running pavcl once/file
is another, and not being able to run the wrapper outside MS is a
third (this is since the directory traversal is kind of ...
simplistic)).
> >
> > I'll be glad to share my "improved" wrapper scripts if you'd like
> > to have a go with them, but... I'd recommend against wasting to
> > much (more) time on it. Drop a line and I'll forward them
> > tomorrow (horrible hacks that they are:-).
> >
> > Best would be for them to produce sane output.
>
> using ANSI for output is ignorant at best... like trying to
> step back to the
> DOS days and having a cool/pretty display.
Ahem, not really "ansi", no, rather "escape sequences as defined
in terminfo":-). But in principle I do agree.
> But I ran the
> standard wrapper
> and found it didn't recognize viruses because of a rather
> simple thing to
> fix. It would appear that panda swapped the words around on
> their "Virus
> found" string and removed a space between the ":" and virus
> name string.
There's some more small things one can fix along the way, like
the actual virus RE which should include a dot (Lovegate <>
Lovegate.AB), but basically I see this as a waste of time.
The FP/FNs will only rear their ugly head on a system where a
batch > 1 message, so simpler tests than that usually work.
I made some fairly ugly hacks to overcome the designflaws of
the original wrapper (mainly to be able to test outside of MS
and a stab at running just one pavcl/batch) that worked very
nice... Until left running for a few days (in MS of course).
I'd be happy to work with you to cover this ground (again...
Who knows, I might have missed something glaringly obvious:-),
if I had the time to spare ... Unfortunately Real Work(tm) is
a priority ATM, so I don't have any to spare.
-- Glenn
>
> The patch below (for panda-wrapper) appears to take care of
> the problem
> related to not finding the virus as it will trigger on either
> version of the
> found string and name string. (assuming a need for backward
> compatibility)
>
> --- panda-wrapper Mon May 9 13:53:18 2005
> +++ panda-wrapper.new Mon May 9 13:53:38 2005
> @@ -76,9 +76,9 @@
>
> sub busca_virus {
>
> my $archivo = $_[0];
> -
> +# print STDERR "Checking $archivo\n";
> my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
> # print TEMP $comando."\n\n";
>
> open SALIDA, "$comando |";
> @@ -89,10 +89,11 @@
> s/(\^O|\r)//g;
>
> # print TEMP $_;
>
> - if (/(Found virus|Encontrado
> virus)\s*:\s*((\w|\-|\_|\/)+)/)
> {
> + if (m/(found virus|virus
> encontrado|encontrado virus|virus
> found)\s+:\s?(.*?)$/i) {
> #if (/Encontrado virus:\s+((\w|\-|\_|\/)+)/) {
> +# print STDERR "Found $2\n";
> close SALIDA;
> #return $1;
> return $2;
> }
>
>
>
> Also, if you want a cleaner log and a report that has the name of the
> infected file apply this patch to SweepViruses (version 4.42.1)
>
> --- SweepViruses.pm Mon May 9 13:45:25 2005
> +++ SweepViruses.pm.new Mon May 9 13:45:52 2005
> @@ -2141,25 +2141,24 @@
>
> $logout = $line;
> $logout =~ s/%/%%/g;
> $logout =~ s/\s{20,}/ /g;
> + MailScanner::Log::InfoLog($logout);
> +
> # EXAMPLE OUTPUT PLEASE? -- nwp 6/5/02
> # Virus: 2##Base: /var/spool/MailScanner/incoming/24408##1:
> 'h3MENF6X020229/eicar.com' => EICAR-AV-TEST-FILE##2:
> 'h3MENF6X020229/eicar.zip' => EICAR-AV-TEST-FILE##
> # Now you wish you never asked :-)
>
> $line =~ /Base: (.*?)##/;
> $BaseDir =~ $1;
> $numviruses = 0;
> my $temp = $line;
> - #2##Base: /var/spool/mailscanner/incoming/23386##1:
> '1DVCx0-00067f-M4/eicar.com' => EICAR-AV-TEST-FILE ##2:
> '1DVCx0-00067f-M4/eicar_com.zip' => EICAR-AV-TEST-FILE ##
> while ( $temp =~ /\d+: \'(.*?)\/(.*?)\' => (.*?)##/ )
> {
> $id = $1;
> $part = $2;
> $report = $3;
> - $report = $Name . ": " . $report." found in $part" if $Name;
> - $report =~ s/\s{2,}/ /g;
> - MailScanner::Log::InfoLog("%s",$report);
> + $report = $Name . ': ' . $report if $Name;
> $infections->{$id}{$part} .= "$report\n";
> $types->{$id}{$part} .= "v"; # it's a real virus
> $numviruses++;
> $temp = $';
>
> and your log will display:
>
> May 9 13:39:26 srv2 MailScanner[24135]: Panda:
> EICAR-AV-TEST-FILE found
> in eicar.com
> May 9 13:39:27 srv2 MailScanner[24135]: Panda:
> EICAR-AV-TEST-FILE found
> in eicar_com.zip
> May 9 13:39:27 srv2 MailScanner[24135]: Virus Scanning: Panda found 2
> infections
>
> and reports will look like:
>
> Panda: EICAR-AV-TEST-FILE found in eicar.com
>
> Hope it helps someone,
>
>
> Rick
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list