vba32 problem with MailScanner --lint
Julian Field
MailScanner at ecs.soton.ac.uk
Mon Aug 25 20:38:03 IST 2008
Look in SweepViruses.pm
(/usr/lib/MailScanner/MailScanner/SweepViruses.pm) and you will find a
"sub Processvba32Output" function.
Change it to this:
sub Processvba32Output {
my($line, $infections, $types, $BaseDir, $Name) = @_;
my($report, $infected, $dot, $id, $part, @rest);
my($logout);
chomp $line;
$logout = $line;
$logout =~ s/%/%%/g;
$logout =~ s/\s{20,}/ /g;
#MailScanner::Log::WarnLog($logout)
# if $line =~ /^\..*( infected | is suspected of )/i;
$line =~ s/^$BaseDir/./; # Newer versions put BaseDir instead of .
if ($line =~
/^(\..*) : (infected|is suspected of) (.*)$/i) {
my($fileentry, $virusname) = ($1,$3);
MailScanner::Log::InfoLog($logout);
#$fileentry =~ s/^$BaseDir//;
($dot, $id, $part, @rest) = split(/\//, $fileentry);
$part =~ s/:\<[A-Z]+\>\\.*$//g;
$report = "Found virus $virusname in $part";
$report = $Name . ': '. $report if $Name;
$infections->{"$id"}{"$part"} .= $report . "\n";
$types->{"$id"}{"$part"} .= "v"; # it's a real virus
return 1;
}
}
The only change is the new line in the middle, just before the "if
($line =~" line.
This should be sufficient to make it cope with both versions of the output.
Please let me know if this fixes the problem for you, and works with
both the old and the new versions of vba32.
Cheers,
Jules.
Paul Hutchings wrote:
> Just realised I ran a different thing to what you asked.
>
> Looks like it all comes down to a "."
>
> Without update:
>
> +---------------------------------------------------+
> | VirusBlokAda (Console scanner) |
> | Vba32 Linux 3.12.6.1 / 2008.02.15 12:56 (Vba32.L) |
> | Copyright (c) 1993-2008 by VBA Ltd. |
> +---------------------------------------------------+
> Key file not found
> Demo mode
> Command line options:
> -af+ -ha+ -rw+
> Ctrl-C will terminate program execution
>
> .
> ./eicar.com : infected EICAR-Test-File
>
> Directories : 1 Files in archives: Files on disks:
> Archives: - total : 0 - total : 1
> - scanned : 0 - scanned : 0 - scanned : 1
> - contain viruses : 0 - infected : 0 - infected : 1
> - deleted : 0 - suspicious : 0 - suspicious : 0
>
> Startup : 23:07:40 24-08-2008
> End : 23:07:41 24-08-2008
> Total time : 00:00:01
>
> With update:
>
> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl .
> +---------------------------------------------------+
> | VirusBlokAda (Console scanner) |
> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) |
> | Copyright (c) 1993-2008 by VBA Ltd. |
> +---------------------------------------------------+
> Key file not found
> Demo mode
> Command line options:
> -af+ -ha+ -rw+
> Ctrl-C will terminate program execution
>
> .
> /tmp/eicar/eicar.com : infected EICAR-Test-File
>
> Directories : 1 Files in archives: Files on disks:
> Archives: - total : 0 - total : 1
> - scanned : 0 - scanned : 0 - scanned : 1
> - contain viruses : 0 - infected : 0 - infected : 1
> - deleted : 0 - suspicious : 0 - suspicious : 0
>
> Startup : 23:06:00 24-08-2008
> End : 23:06:00 24-08-2008
> Total time : 00:00:00
>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Julian
> Field
> Sent: 24 August 2008 22:46
> To: MailScanner discussion
> Subject: Re: vba32 problem with MailScanner --lint
>
>
> On 24 Aug 2008, at 22:30, Julian Field <MailScanner at ecs.soton.ac.uk>
> wrote:
>
>
>> Aha, thanks for that, it will help me diagnose the problem.
>> It's really something I need to take a look at.
>>
>> Could you put a copy of eicar.com in /tmp and run something like this
>> cd /tmp
>> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl .
>>
>
> Don't forget the " ." on the end of that command!
>
>
>
>> And show me the output both before and after the "vbacl --update"
>> has changed the version of vba32 you have installed. I need to
>> handle both the old and the new outputs.
>>
>> Thanks.
>>
>> Paul Hutchings wrote:
>>
>>> Hmm something I noticed:
>>>
>>> When I first install Vba32 and run "MailScanner --lint" it's happy -
>>> "vba32 said "Found virus EICAR-Test-File in eicar.com", and that is
>>> with
>>> Vba32 Linux 3.12.6.1.
>>>
>>> After the first update via "vbacl --update" the issue starts with
>>> MailScanner not picking up the output from vba32.
>>>
>>> At this point though, Vba32 has updated itself to Vba32 Linux
>>> 3.12.8.4.
>>>
>>> I guess something has changed in the Vba32 output with the later
>>> version
>>> that MailScanner isn't aware of?
>>>
>>> Any ideas if this is something I can change or if it's something
>>> Julian
>>> needs to change in the mailscanner code?
>>>
>>> -----Original Message-----
>>> From: mailscanner-bounces at lists.mailscanner.info
>>> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Paul
>>> Hutchings
>>> Sent: 24 August 2008 13:08
>>> To: MailScanner discussion
>>> Subject: vba32 problem with MailScanner --lint
>>>
>>> Just trialling a few virus scanners, bitdefender, clamd, avg and
>>> vba32
>>> are installed.
>>>
>>> Vba32 appears to be working if I test the wrapper:
>>>
>>> /usr/lib/MailScanner/vba32-wrapper /opt/vba/vbacl /tmp/malware/29.exe
>>> +---------------------------------------------------+
>>> | VirusBlokAda (Console scanner) |
>>> | Vba32 Linux 3.12.8.4 / 2008.08.23 11:06 (Vba32.L) |
>>> | Copyright (c) 1993-2008 by VBA Ltd. |
>>> +---------------------------------------------------+
>>> User: VBA32 Testlizenz
>>> License #000000324 Valid till 31.10.2008
>>> Command line options:
>>> -af+ -ha+ -rw+
>>> Ctrl-C will terminate program execution
>>>
>>> /tmp/malware/29.exe
>>> /tmp/malware/29.exe : infected Trojan-
>>> GameThief.Win32.OnLineGames.shie
>>>
>>> Directories : 0 Files in archives: Files on disks:
>>> Archives: - total : 0 - total : 1
>>> - scanned : 0 - scanned : 0 - scanned : 1
>>> - contain viruses : 0 - infected : 0 - infected : 1
>>> - deleted : 0 - suspicious : 0 - suspicious : 0
>>>
>>> Startup : 13:05:01 24-08-2008
>>> End : 13:05:01 24-08-2008
>>> Total time : 00:00:00
>>>
>>> Yes when I run a lint with MailScanner it doesn't appear to output a
>>> string that MailScanner can take as meaning an infection has been
>>> found:
>>>
>>> MailScanner --lint
>>> Trying to setlogsock(unix)
>>> Read 850 hostnames from the phishing whitelist
>>> Read 5259 hostnames from the phishing blacklist
>>> Checking version numbers...
>>> Version installed (4.70.7) does not match version stated in
>>> MailScanner.conf file (4.70.6), you may want to run
>>> upgrade_MailScanner_conf
>>> to ensure your MailScanner.conf file contains all the latest
>>> settings.
>>>
>>> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
>>> MailScanner setting GID to (89)
>>> MailScanner setting UID to (89)
>>>
>>> Checking for SpamAssassin errors (if you use it)...
>>> SpamAssassin temporary working directory is
>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>>> SpamAssassin temp dir =
>>> /var/spool/MailScanner/incoming/SpamAssassin-Temp
>>> Using SpamAssassin results cache
>>> Connected to SpamAssassin cache database
>>> SpamAssassin reported no errors.
>>> Using locktype = posix
>>> MailScanner.conf says "Virus Scanners = avg bitdefender clamd vba32"
>>> Found these virus scanners installed: bitdefender, clamd, vba32, avg
>>> ===
>>> =====================================================================
>>> ===
>>> Virus and Content Scanning: Starting
>>> Avg: Virus identified EICAR_Test in eicar.com
>>> Virus Scanning: Avg found 1 infections
>>> 1/eicar.com:infected: EICAR-Test-File (not a virus)
>>> Virus Scanning: Bitdefender found 1 infections
>>> ClamAVModule::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
>>> Virus Scanning: Clamd found 1 infections
>>> Virus Scanning: vba32 found 1 infections
>>> Infected message 1 came from 10.1.1.1
>>> Virus Scanning: Found 1 viruses
>>> ===
>>> =====================================================================
>>> ===
>>> Virus Scanner test reports:
>>> Avg said "Found virus EICAR_Test in file eicar.com"
>>> Bitdefender said "Found virus EICAR-Test-File (not a virus) in file
>>> eicar.com"
>>> Clamd said "eicar.com was infected: Eicar-Test-Signature"
>>>
>>> If any of your virus scanners (bitdefender,clamd,vba32,avg)
>>> are not listed there, you should check that they are installed
>>> correctly
>>> and that MailScanner is finding them correctly via its
>>> virus.scanners.conf.
>>>
>>> Any suggestions please?
>>>
>>>
>>>
>> Jules
>>
>> --
>> Julian Field MEng CITP CEng
>> www.MailScanner.info
>> Buy the MailScanner book at www.MailScanner.info/store
>>
>> MailScanner customisation, or any advanced system administration help?
>> Contact me at Jules at Jules.FM
>>
>> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
>> PGP public key: http://www.jules.fm/julesfm.asc
>>
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>> --
>> MailScanner mailing list
>> mailscanner at lists.mailscanner.info
>> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>>
>> Before posting, read http://wiki.mailscanner.info/posting
>>
>> Support MailScanner development - buy the book off the website!
>>
>
>
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list