Testing the anti-virus stack

Andrew MacLachlan amaclach at yahoo.co.uk
Fri May 4 00:33:53 IST 2007 

OK - it's automagically started working.

I got the output strings for avast by running an interactive cmdline scan against eicar.com. If anyone's interested they are:

/tmp/eicar.com [infected by: EICAR Test-NOT virus!!]

and the mailwatch mods (yes - I know - different list...) including the new clam strings in functions.php are:

if(!defined(VIRUS_REGEX) || !DISTRIBUTED_SETUP) {
 switch($scanner=get_primary_scanner()) {
  case 'none':
   define(VIRUS_REGEX, '/^Dummy$/');
   break;
  case 'sophos':
   define(VIRUS_REGEX, '/(>>>) Virus \'(\S+)\' found/');
   break;
  case 'sophossavi':
   define(VIRUS_REGEX, '/(\S+) was infected by (\S+)/');
   break;
  case 'clamav':
   define(VIRUS_REGEX, '/(.+) contains (\S+)/');
   break;
  case 'clamd':
   define(VIRUS_REGEX, '/(.+) contains (\S+)/');
   break;
  case 'clamavmodule':
   define(VIRUS_REGEX, '/(.+) was infected: (\S+)/');
   break;
  case 'f-prot':
   define(VIRUS_REGEX, '/(.+) Infection: (\S+)/');
   break;
  case 'mcafee':
   define(VIRUS_REGEX, '/(.+) Found the (\S+) virus !!!/');
   break;
  case 'f-secure':
   define(VIRUS_REGEX, '/(.+) Infected: (\S+)/');
   break;
  case 'trend':
   define(VIRUS_REGEX, '/(Found virus) (\S+) in file (\S+)/');
   break;
  case 'bitdefender':
   define(VIRUS_REGEX, '/(\S+) Found virus (\S+)/');
   break;
  case 'kaspersky-4.5':
   define(VIRUS_REGEX, '/(.+) INFECTED (\S+)/');
   break;
  case 'etrust':
   define(VIRUS_REGEX, '/(\S+) is infected by virus: (\S+)/');
   break;
  case 'avg':
   define(VIRUS_REGEX, '/(Found virus) (\S+) in file (\S+)/');
   break;
  case 'avast':
   define(VIRUS_REGEX, '/(.+) [infected by: (\S+) virus!!]/');
   break;
  case 'avastd':
   define(VIRUS_REGEX, '/(.+) [infected by: (\S+) virus!!]/');
   break;
  default:
   die("<B>Error:</B><BR>\n&nbsp;Unable to select a regular expression for your primary virus scanner ($scanner) - please see the examples in functions.php to create one.\n");
   break;
 }

Hope this is of use to someone!

 
Regards, 
Andy


----- Original Message ----
From: --[ UxBoD ]-- <uxbod at splatnix.net>
To: MailScanner discussion <mailscanner at lists.mailscanner.info>
Sent: Thursday, 3 May, 2007 8:21:14 PM
Subject: Re: Testing the anti-virus stack

Why not run in debug mode and test with eicar.com ?

On Thu, 3 May 2007 19:06:24 +0000 (GMT), Andrew MacLachlan <amaclach at yahoo.co.uk> wrote:
> OK - I'm pulling what's left of my hair out here trying to test Avast.
> What I think is happening is that MailScanner is blocking all the test
> files before they get to the virus scanner.
> 
> How do I know when the virus scanner has picked up a virus (Nothing in the
> maillog)??
> I also need to get the output strings so that I can configure MailWatch
> for avastd. I've already turned clam off.
> 
> If anyone has something infected feel free to send it to
> andy.mac at global-domination.org
> 
> Cheers,Andy
> 
> 
> ----- Original Message ----
> From: Dan Hollis <spamtrap71892316634 at anime.net>
> To: MailScanner discussion <mailscanner at lists.mailscanner.info>
> Sent: Thursday, 3 May, 2007 6:42:02 PM
> Subject: Re: 32 bit distro or 64?
> 
> On Thu, 3 May 2007, Rick Chadderdon wrote:
>> Still, it is much easier to get support from a vendor if you're using
>> their software the way that they intended.  I can already hear, "Oh, I'm
>> sorry, we don't support that product running on a 64-bit OS."  Even if
>> the problem you're having is not related to the OS at all.  Just
>> something to consider.
> 
> In this case you vote with your wallet and find another vendor. Works for
> me anyway :)
> 
> -Dan
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 
> 
> 
> 
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
> 
> Before posting, read http://wiki.mailscanner.info/posting
> 
> Support MailScanner development - buy the book off the website!
> 
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is
> believed to be clean.
-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: 543A E778 7F2D 98F1 3E50 9C1F F190 93E0 E8E8 0CF8
// Keyserver: www.keyserver.net Key-ID: 0xE8E80CF8
// Phone: +44 (0) 845 869 2749  SIP: uxbod at sip.splatnix.net


-- 
This message has been scanned for viruses and dangerous content by MailScanner, and is
believed to be clean.

--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner

Before posting, read http://wiki.mailscanner.info/posting

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list