Norman Sandbox and MailScanner

[James Gray]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sjakie wrote:
> Denis wrote:
>> Maybe you need to modify how MS calls Norman AV... Look into
>> /usr/lib/MailScanner/norman-wrapper (or wherever
>> /etc/MailScanner/virus.scanners.conf points to for your AV).
> 
> /etc/MailScanner/virus.scanners.conf points to
> /usr/lib/MailScanner/norman-wrapper
> 
> ======[ /usr/lib/MailScanner/norman-wrapper ]========
> PackageDir=$1
> shift
> prog=nvcc
> 
> if [ "x$1" = "x-IsItInstalled" ]; then
>  [ -x ${PackageDir}/$prog ] && exit 0
>  exit 1
> fi
> 
> exec ${PackageDir}/$prog "$@"
> ==================================================
> 
> But as far as i can see the way Norman is called is ok,
> also because the logfile of Norman tells me it detected a virus.
> 
> I also looked at the file /usr/lib/MailScanner/MailScanner/SweepViruses.pm
> and i think that in this script the output of Norman is analyzed (sub
> ProcessNormanOutput).
> 
> But i don't really understand perl so can anyone tell me if this is right?

I think the problem is in the sandbox output not matching the output
when  virus is detected from the definitions.  Besides the fact
MailScanner doesn't call Norman with any options, so if you've hacked
the wrapper to include options, you're on your own.

As for the SweepVirus.pm stuff, it's not too hard to get your head
around once you've played with a bit of regex :) The key part is this:

return 0 unless $line =~ /^[^']+'([^']+)' -> '([^']+)'\s*$/;
my ($filename, $virus) = ($1, $2);

Which looks for lines that match Norman's output when a virus is
detected (there's the examples Julian used at the beginning of the
function).  If a line is found that matches, basically whatever is
between the last pair of single quotes on the left of the " -> " as the
file name. Similarly whatever is between the first pair of single quotes
on the right hand side of the " -> " is deemed to be the virus name[1].
 So a line from Norman like:

blah blah '/path/to/infected/file' -> 'BiteMe/W32 Trojan' foo foo foo

Would read /path/to/infected/file and pump it into $filename and similar
story with the virus name.

Make sense?  If Norman's sandbox thing generates output that differs
from this format, then show us command line output (not the log file, or
any ugly debugging info - just the bare minimum Norman needs to run this
sandbox thingy) and either Julian, or someone on the list might be able
to write a patch for you :)

Cheers,

James
[1] REGEX Guru's - YES! I know that's not the whole story (there's a few
extra qualifiers in there)...this is just a BRIEF explanation.  So
please don't nit-pick :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEtKW4wBHpdJO7b9ERAupEAKCL7xhnlZm01xp5atfpEd6eZjUkxgCdFt10
IQHN8yJXaq2Rvzsgvfw6ZiE=
=kkHg
-----END PGP SIGNATURE-----