Sv: Re: Panda not working
Andreas Svensson
andreas.svensson at HALLSBERG.SE
Wed May 11 10:09:22 IST 2005
Thanks!
Tha panda-wrapper now works for me...
_____________________________________________________
MVH Andreas Svensson IT-Tekniker Hallsbergs kommun.
GSM. +46 70-2329059
TEL. +46 582-685120
FAX. +46 582-685119
_____________________________________________________
>>> rcooper at DWFORD.COM 2005-05-09 21:12:16 >>>
> -----Original Message-----
> From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK]On
> Behalf Of Steen, Glenn
> Sent: Monday, May 09, 2005 1:01 PM
> To: MAILSCANNER at JISCMAIL.AC.UK
> Subject: SV: Panda not working
>
>
> Yes, well.... There is where you (unfortunately) may start to
stumble...
> See, the original wrapper does a pretty decent job of sanitizing
> the output, but... It assumes that the output is as seen on an
> xterm/vt-whatever when executing "inside MS". This isn't the case.
> So then the original author "falls back" on invoking pavcl
> once/file... and still it'll mess up from time to time. Set your
> TERM to "dumb" (or unset it), then call it as is done in MS on a
> directory that may contain several subdirectories (both clean and
> unclean files) and you'll likely see the same mess I found... Of
> course, I'd be rather happy if it did work for you, since that
> would point at some peculiarity in my system, but.... I won't
> hold my breath:-).
This may be true, haven't tested that. But haven't experienced an issue
with
it either, then again I have only been testing for a couple hours. If
that
is a problem I would think changing
my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
to
my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 >
/tmp/FileNameBasedOnPid
";
and parsing the /tmp file rather than the pipe it's self should solve
that.
Wouldn't allow the terminal to alter the output.
As far as multiple, nested directories. Julian may have to correct me,
but
there shouldn't be any nested directories. All the files should be
extracted
into a single directory with the SafeName function handling duplicate
as
well as possibly dangerous file names so the -cmp switch shouldn't
really be
used at all (unless I am mistaken). IIRC the unpacking is done in this
manner to remove the chance of archived directory structures spilling
out
where they don't belong.
>
> I'll be glad to share my "improved" wrapper scripts if you'd like
> to have a go with them, but... I'd recommend against wasting to
> much (more) time on it. Drop a line and I'll forward them
> tomorrow (horrible hacks that they are:-).
>
> Best would be for them to produce sane output.
using ANSI for output is ignorant at best... like trying to step back
to the
DOS days and having a cool/pretty display. But I ran the standard
wrapper
and found it didn't recognize viruses because of a rather simple thing
to
fix. It would appear that panda swapped the words around on their
"Virus
found" string and removed a space between the ":" and virus name
string.
The patch below (for panda-wrapper) appears to take care of the
problem
related to not finding the virus as it will trigger on either version
of the
found string and name string. (assuming a need for backward
compatibility)
--- panda-wrapper Mon May 9 13:53:18 2005
+++ panda-wrapper.new Mon May 9 13:53:38 2005
@@ -76,9 +76,9 @@
sub busca_virus {
my $archivo = $_[0];
-
+# print STDERR "Checking $archivo\n";
my $comando = "$pavcl '$archivo' @ARGV -CMP 2>&1 ";
# print TEMP $comando."\n\n";
open SALIDA, "$comando |";
@@ -89,10 +89,11 @@
s/(\^O|\r)//g;
# print TEMP $_;
- if (/(Found virus|Encontrado
virus)\s*:\s*((\w|\-|\_|\/)+)/)
{
+ if (m/(found virus|virus encontrado|encontrado
virus|virus
found)\s+:\s?(.*?)$/i) {
#if (/Encontrado virus:\s+((\w|\-|\_|\/)+)/) {
+# print STDERR "Found $2\n";
close SALIDA;
#return $1;
return $2;
}
Also, if you want a cleaner log and a report that has the name of the
infected file apply this patch to SweepViruses (version 4.42.1)
--- SweepViruses.pm Mon May 9 13:45:25 2005
+++ SweepViruses.pm.new Mon May 9 13:45:52 2005
@@ -2141,25 +2141,24 @@
$logout = $line;
$logout =~ s/%/%%/g;
$logout =~ s/\s{20,}/ /g;
+ MailScanner::Log::InfoLog($logout);
+
# EXAMPLE OUTPUT PLEASE? -- nwp 6/5/02
# Virus: 2##Base: /var/spool/MailScanner/incoming/24408##1:
'h3MENF6X020229/eicar.com' => EICAR-AV-TEST-FILE##2:
'h3MENF6X020229/eicar.zip' => EICAR-AV-TEST-FILE##
# Now you wish you never asked :-)
$line =~ /Base: (.*?)##/;
$BaseDir =~ $1;
$numviruses = 0;
my $temp = $line;
- #2##Base: /var/spool/mailscanner/incoming/23386##1:
'1DVCx0-00067f-M4/eicar.com' => EICAR-AV-TEST-FILE ##2:
'1DVCx0-00067f-M4/eicar_com.zip' => EICAR-AV-TEST-FILE ##
while ( $temp =~ /\d+: \'(.*?)\/(.*?)\' => (.*?)##/ )
{
$id = $1;
$part = $2;
$report = $3;
- $report = $Name . ": " . $report." found in $part" if $Name;
- $report =~ s/\s{2,}/ /g;
- MailScanner::Log::InfoLog("%s",$report);
+ $report = $Name . ': ' . $report if $Name;
$infections->{$id}{$part} .= "$report\n";
$types->{$id}{$part} .= "v"; # it's a real virus
$numviruses++;
$temp = $';
and your log will display:
May 9 13:39:26 srv2 MailScanner[24135]: Panda: EICAR-AV-TEST-FILE
found
in eicar.com
May 9 13:39:27 srv2 MailScanner[24135]: Panda: EICAR-AV-TEST-FILE
found
in eicar_com.zip
May 9 13:39:27 srv2 MailScanner[24135]: Virus Scanning: Panda found 2
infections
and reports will look like:
Panda: EICAR-AV-TEST-FILE found in eicar.com
Hope it helps someone,
Rick
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list