AVG Antivirus scanner problem

Rick Cooper rcooper at dwford.com
Mon Jun 11 14:37:33 IST 2007


>> From: mailscanner-bounces at lists.mailscanner.info
>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rick
>> Cooper Sent: Sunday, June 10, 2007 1:56 PM To: 'MailScanner
>> discussion' Subject: RE: AVG Antivirus scanner problem
	
	
>> There was also an issue with the correct parsing of the virus if IIRC
>> and the logout line was very unfriendly to MailWatch.
   
>> I added $line =~ s/^(.+)(?:\s{1,}\(.+\))$/$1/; below $line =~
>> s/[\r\n]//g; to remove the new(?) (+2) junk at the end of found lines
>> I changed my $virus = $1; to my $virus = $line; and added $virus =~
>> s/^.+\s+(.+?)$/$1/; because all of my log lines showed virus to be
>> blank (found virus in file), and I also modifed the logout
>> information to
	 
>> my $logout = $line; $logout =~ s/\s{2,}/ /gs; $logout =~ s/:./->/;
>> $logout =~ /^.+\/(.+?)\s{1,}(.+)\s{0,}$/; MailScanner::Log::InfoLog
>> ("Avg: %s in %s", $2,$1);
	 
>> so it would be easy for MailWatch to get the virus and file name
>> (seemed to be backward from the regex I think).
   
>> That brings me to a question I was going to ask next week. How about
>> standardizing the virus found log messages? I look through the
>> MailWatch code and every time something is added to MailScanner they
>> would have to re-write the section that handles logging the virus and
>> filename regex. If there was a standard logout put such as
>> Scanner::ScannerName VIRUS_NAME Found In FILE_NAME then MailWatch
>> (and other utlities) could easily parse the scanner, the virus name
>> and the file.
	 
>> The MailWatch clamd, avg and panda support all need updated.
   
>> What do you think?
   
>> Rick

There was something else I noticed. If you have the same file in two
archives
(I believe that was the trigger) MailScanner repeated the report so you got
a
report something like

Scanner AVG: test_eicar_file was found in test.rar
             test_eircar_file was found in test.rar
			 
So also made the following change:

   $part =~ s/\t.*$//;
   $part =~ s/=\>.*$//;
   #print STDERR "id:$id:part = $part\n";
   #print STDERR "$Name : Found virus $virus in file $part ID:$id\n";
-  $infections->{$id}{$part} .= $Name . ': ' if $Name;
-  $infections->{$id}{$part} .= "Found virus $virus in file $part\n";
-  $types->{$id}{$part}      .= "v"; # so we know what to tell sender
+  # If avg finds both the archive and file to be infected and the file
+  # exists in more than one (because of SafeName) archive the archive is
+  # reported twice so check and make sure the archive is only reported once
+  my $Report = $Name . ': ' if $Name;
+  $Report .= "Found virus $virus in file $part";
+  $infections->{$id}{$part} .= "$Report\n" unless $infections->{$id}{$part}
=~ /$Report/si;
+  $types->{$id}{$part}      .= "v" unless $types->{$id}{$part}; # so we
know what to tell sender
			 


[...]


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the MailScanner mailing list