AVG Antivirus scanner problem

Rick Cooper rcooper at dwford.com
Mon Jun 11 18:14:25 IST 2007 

 


  _____  

From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
Field
Sent: Monday, June 11, 2007 10:13 AM
To: MailScanner discussion
Subject: Re: AVG Antivirus scanner problem


Can you send me a single patch including all your proposed changes (patch
against the SweepViruses.pm including the patch I posted last night) so I
can see what you're doing. And don't forget to quotemeta the $Report before
you // for it!
[Rick Cooper] 
 
I can and I did (forget to quotemeta). I was getting ready to make the patch
and it occured to me that current avgscan supports trapping password
protected files in archives. Should that be enabled depending on the setting
for "Allow Password-Protected Archives"? If so the scanner options need
changing and the parser needs to be updated to catch the "Contains
password-protected files" string. Or would you prefer to catch them in the
upack function only and not bother with the scanner(s) checking as well?

Rick Cooper wrote: 

From: mailscanner-bounces at lists.mailscanner.info

[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Rick

Cooper Sent: Sunday, June 10, 2007 1:56 PM To: 'MailScanner

discussion' Subject: RE: AVG Antivirus scanner problem

      

	

	

  

There was also an issue with the correct parsing of the virus if IIRC

and the logout line was very unfriendly to MailWatch.

      

   

  

I added $line =~ s/^(.+)(?:\s{1,}\(.+\))$/$1/; below $line =~

s/[\r\n]//g; to remove the new(?) (+2) junk at the end of found lines

I changed my $virus = $1; to my $virus = $line; and added $virus =~

s/^.+\s+(.+?)$/$1/; because all of my log lines showed virus to be

blank (found virus in file), and I also modifed the logout

information to

      

	 

  

my $logout = $line; $logout =~ s/\s{2,}/ /gs; $logout =~ s/:./->/;

$logout =~ /^.+\/(.+?)\s{1,}(.+)\s{0,}$/; MailScanner::Log::InfoLog

("Avg: %s in %s", $2,$1);

      

	 

  

so it would be easy for MailWatch to get the virus and file name

(seemed to be backward from the regex I think).

      

   

  

That brings me to a question I was going to ask next week. How about

standardizing the virus found log messages? I look through the

MailWatch code and every time something is added to MailScanner they

would have to re-write the section that handles logging the virus and

filename regex. If there was a standard logout put such as

Scanner::ScannerName VIRUS_NAME Found In FILE_NAME then MailWatch

(and other utlities) could easily parse the scanner, the virus name

and the file.

      

	 

  

The MailWatch clamd, avg and panda support all need updated.

      

   

  

What do you think?

      

   

  

Rick

      



There was something else I noticed. If you have the same file in two

archives

(I believe that was the trigger) MailScanner repeated the report so you got

a

report something like



Scanner AVG: test_eicar_file was found in test.rar

             test_eircar_file was found in test.rar

			 

So also made the following change:



   $part =~ s/\t.*$//;

   $part =~ s/=\>.*$//;

   #print STDERR "id:$id:part = $part\n";

   #print STDERR "$Name : Found virus $virus in file $part ID:$id\n";

-  $infections->{$id}{$part} .= $Name . ': ' if $Name;

-  $infections->{$id}{$part} .= "Found virus $virus in file $part\n";

-  $types->{$id}{$part}      .= "v"; # so we know what to tell sender

+  # If avg finds both the archive and file to be infected and the file

+  # exists in more than one (because of SafeName) archive the archive is

+  # reported twice so check and make sure the archive is only reported once

+  my $Report = $Name . ': ' if $Name;

+  $Report .= "Found virus $virus in file $part";

+  $infections->{$id}{$part} .= "$Report\n" unless $infections->{$id}{$part}

=~ /$Report/si;

+  $types->{$id}{$part}      .= "v" unless $types->{$id}{$part}; # so we

know what to tell sender

			 





[...]





--

This message has been scanned for viruses and

dangerous content by MailScanner, and is

believed to be clean.





  


Jules



-- 

Julian Field MEng CITP

www.MailScanner.info

Buy the MailScanner book at www.MailScanner.info/store



MailScanner customisation, or any advanced system administration help?

Contact me at Jules at Jules.FM



PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654

For all your IT requirements visit www.transtec.co.uk


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.mailscanner.info/pipermail/mailscanner/attachments/20070611/7d0424c0/attachment.html

More information about the MailScanner mailing list