Panda Antivirus (pavcl v 9.00.00)

[Glenn Steen]

On 30/05/06, Rick Cooper <rcooper at dwford.com> wrote:
> I noted last week Glenn mentioned something about a new panda pavcl (version
> 9). It would appear they have made good their promise to make it more "parse
> friendly". They have included the following two switches:
>
>         -noscr
>         -rpt:filename
> with these switches there is no terminal output during the scan and the
> report file can be named, and then of course parsed after the scan. This
> means an entire batch can be scanned at once and the report file parsed to
> accurately determine which message and file(s) contain the viruse(s).

Splendid.
I only have had time to install the rpm, noted the changed install
would mean some small changes to the autoupdate script, and that
they've renamed some options, and the need to use the -nob, which
would mean some further small changes to MailScanner. Did some initial
testing with your current wrapper, and it seems to be working OK (with
the obvious amandments to the options, of course).
...... Then went off on the choir trip... I'm still trying to recover
from that... (Sometime, soon, I'll have to learn that singing and
booze don't mix to well, at least not if one is to perform a somewhat
demanding program... Some Bach, Schütz, Walton, Mozart etc etc. Bad
enough sober, terribly demanding slightly hungover). And have next to
no time at all. Sigh. ATM, I *should* be at at least two different
places, at once. Guess that is why one needs to master the art of
"prioritising":-)
Hadn't looked too close on those two options. As you say, this could
be a great leap forward for pavcl.

> The down side is I have *no* time right now to rewrite the wrapper to handle
> the new version. If someone wants to either write a separate version 9.xx
> wrapper, great... or you could fork the current wrapper to handle both by
> doing something like
>
> pavcl -info|grep -i version |sed "s/Product version: //"
>
> and check for =~ /9\.\d{2}\.\d{2}/
>
> recommended command line options for version
> 9.xx: -nor -noscr -nob -eng -auto -cmp -heu -aex -rpt:./pavcl.out
>
> and look at the file it appears pretty easy to parse:
>
> File checked        : full_path/archive_name[archive_name]..[infected_file]
>         Found virus :Virus_Name
>
> so if an archive contained
>         test1.zip->
>                         test2.zip->
>                                         eicar.com
>
> you would see
> File checked        :/path/test1.zip
>         Found virus:EICAR-AV-TEST-FILE
>
> File checked        :/path/test1.zip[test2.zip][eicar.com]
>         Found virus:EICAR-AV-TEST-FILE
>
> So you would have to track your infections from the base archive through
> nested archives and report only the base archive and  infected file name as
> one infection.
>
> If no one does a version 9 wrapper by this weekend I *might* have the time
> to do something Sunday. Once the wrapper is done I think anyone using pavcl
> should update to the version 9 right away, as it seems to me this new
> functionality would be faster and more stable than the old method, although
> I *think* the current wrapper will work with the new version, although you
> will notice it's slower because they now scan boot sectors by default so
> the -nob option added to the current wrapper would remove that extra
> processing.
>
Unless something extraordinary happens, I'll not be able to do more
than assist with testing. Any weekend you feel up to it will be fine
by me:-).

Cheers
-- 
-- Glenn (who will exercise a bit of creative "prioritising".... Drop
work, and go to the office party just getting into swing:-)
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se