Norman Sandbox and MailScanner

Sjakie sjakie07 at chello.nl
Wed Jul 12 12:05:07 IST 2006 

James wrote:
> I think the problem is in the sandbox output not matching the output
> when  virus is detected from the definitions.  Besides the fact
> MailScanner doesn't call Norman with any options, so if you've hacked
> the wrapper to include options, you're on your own.
>
> As for the SweepVirus.pm stuff, it's not too hard to get your head
> around once you've played with a bit of regex :) The key part is this:
>
> return 0 unless $line =~ /^[^']+'([^']+)' -> '([^']+)'\s*$/;
> my ($filename, $virus) = ($1, $2);
>
> Which looks for lines that match Norman's output when a virus is
> detected (there's the examples Julian used at the beginning of the
> function).  If a line is found that matches, basically whatever is
> between the last pair of single quotes on the left of the " -> " as the
> file name. Similarly whatever is between the first pair of single quotes
> on the right hand side of the " -> " is deemed to be the virus name[1].
> So a line from Norman like:
>
> blah blah '/path/to/infected/file' -> 'BiteMe/W32 Trojan' foo foo foo
>
> Would read /path/to/infected/file and pump it into $filename and similar
> story with the virus name.
>
> Make sense?  If Norman's sandbox thing generates output that differs
> from this format, then show us command line output (not the log file, or
> any ugly debugging info - just the bare minimum Norman needs to run this
> sandbox thingy) and either Julian, or someone on the list might be able
> to write a patch for you :)

I did not hack the wrapper, it's the default Norman wrapper. When i look at 
the Norman logs,
is seems that someway MailScanner calls Norman with these parameters: 
"nvcc -c -sb:1 -s -u ." which should be ok.
(when i start Norman without any parameter from the prompt: "nvcc .",
then in the Norman logs only these parameters: "." are logged)

I'm totally new to regex but it makes a little more sense now, Thanks!

Here's the Norman output (scanned a directory with the command: 
"nvcc -c -sb:1 -s -u .")
3 times, once with Eicar (detected from the definitions)
once with dummy.exe (testfile to trigger Sandbox)
and once with both Eicar and dummy.exe.

The output with sandbox is a little different (basename/more then 1 line..) 
as you can see... so maybe this can be fixed!?

I think it would be a great improvement...

Thanks up front!!!


---[virus is detected from the 
definitions]-----------------------------------------------------------------------------------------

 NORMAN
Norman Virus Control Version 5.70.01  Jun 15 2004 10:37:11
Copyright (c) 1993-2003 Norman ASA

NSE revision 5.90.23
nvcbin.def revision 5.90 of 2006/07/11 (65535 variants)
nvcmacro.def revision 5.90 of 2006/07/03 (19936 variants)
Total number of variants: 85471

Logging to '/opt/norman/logs/nvc00003.log'
Possible virus in '/root/SCANDIR/./eicar_com.zip : eicar.com' -> 
'EICAR_Test_file_not_a_virus!'

1 possible infections found.
1 archives unpacked, 2 files found.
2 files, 2 kbytes scanned.

Total scanning time: 0 min. 00 secs.
2 kbytes per second.

---[virus is detected with 
sandbox]-----------------------------------------------------------------------------------------

 NORMAN
Norman Virus Control Version 5.70.01  Jun 15 2004 10:37:11
Copyright (c) 1993-2003 Norman ASA

NSE revision 5.90.23
nvcbin.def revision 5.90 of 2006/07/11 (65535 variants)
nvcmacro.def revision 5.90 of 2006/07/03 (19936 variants)
Total number of variants: 85471

Logging to '/opt/norman/logs/nvc00001.log'
Possible virus in './dummy.exe' -> 'Sandbox: W32/Malware;  [ General 
information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO - 
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:         4096 bytes.

'

1 possible infections found.
0 archives unpacked, 1 files found.
1 files, 5 kbytes scanned.

Total scanning time: 0 min. 01 secs.
5 kbytes per second.

---[both Eicar and 
dummy.exe]-----------------------------------------------------------------------------------------

 NORMAN
Norman Virus Control Version 5.70.01  Jun 15 2004 10:37:11
Copyright (c) 1993-2003 Norman ASA

NSE revision 5.90.23
nvcbin.def revision 5.90 of 2006/07/11 (65535 variants)
nvcmacro.def revision 5.90 of 2006/07/03 (19936 variants)
Total number of variants: 85471

Logging to '/opt/norman/logs/nvc00002.log'
Possible virus in './dummy.exe' -> 'Sandbox: W32/Malware;  [ General 
information ]
    * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS at NORMAN.NO - 
REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
    * File length:         4096 bytes.

'
Possible virus in '/root/SCANDIR/./eicar_com.zip : eicar.com' -> 
'EICAR_Test_file_not_a_virus!'

2 possible infections found.
1 archives unpacked, 3 files found.
3 files, 7 kbytes scanned.

Total scanning time: 0 min. 00 secs.
7 kbytes per second.

----------------------------------------------------------------------------------------------------------------------------------

More information about the MailScanner mailing list