Trouble making my own virus scanner

William D. Colburn wcolburn at nrao.edu
Wed Nov 25 18:10:09 UTC 2015 

I'm trying to use MailScanner to scan mail for viruses with Microsoft's
SCEP.

I updated /etc/MailScanner/virus.scanners.conf to use my own scep wrapper.
#generic                /usr/share/MailScanner/generic-wrapper  /
generic         /opt/services/bin/scep-wrapper			/opt/microsoft/scep

I updated /etc/MailScanner/MailScanner.conf to use both sophos and scep
Virus Scanners = sophos generic

My wrapper does (mostly) what the documentation in
/usr/share/MailScanner/generic-wrapper says it should do.  It parses
-IsItInstalled and returns 0 or 1 depending.  It assumes the last
argument is the directory to scan (ignoring the possibility of an option
-disinfect).  It writes to stdout lines that look like
"INFECTED::virusname::path\n".  It doesn't return the error code from
the virus scanner, but does return false (!0) if a virus is found, and
true (0) if no virus is found.

I can see that MailScanner is calling my scanner.  I even get log
messages about viruses found, including lines such as "Generic found 3
infections".

Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::                scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/r20150934875878888224005.PDF.exe
Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::                scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/n201593844371388752253040.rar
Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::                scep INFECTED::Win32/PSW.Papras.EH trojan::./APHKXb9028650/n201593844371388752253040.rar >> RAR >> 20150934875878888224005.PDF'.exe
Nov 25 10:21:23 revere MailScanner[12670]: Virus Scanning: Generic found 3 infections

The actual messages passed on, however, only mention Sophos.  If take sophos out of MailScanner.conf the messages are not flagged as virueses.

I didn't change anything in SweepViruses.pm, and I don't see anything from reading that file that I'm doing wrong.

Why isn't generic catching my viruses?

--Schlake
-------------- next part --------------
#!/usr/bin/env python

import os
import sys
import time

now = time.time()

debug = False

if debug:
  log = open( "/tmp/scep-wrapper.log", "a+" )
  log.write( str( now ) + ' started ' + str( sys.argv ) + '\n' )
  log.close()

scep = "/opt/microsoft/scep/sbin/scep_scan"

found = []

if sys.argv[1] == "-IsItInstalled":
  if os.path.exists( scep ):
    sys.exit( 0 )
  else:
    sys.exit( 1 )

target = sys.argv[-1]

ret = 0

def parse( line ):
  global ret
  path = line.split( 'name="' )[1].split( '", threat="' )[0]
  virus = line.split( ', threat="' )[1].split( '", action="' )[0]
  ##
  ## the virus could still be wrong if it sticks random text in there
  ## that isn't the one case I know about and check for
  ##
  ## Archives will have >> and more data than just a path, but I don't
  ## think I care? 
  ##
  ret = ret + 1
  found.append( virus )
  return 'INFECTED::%s::%s' % (virus,path)

##
## LANG=C because I don't want weird things to happen
##
cmd = "LANG=C %s --clean-mode=none %s 2>&1" % (scep,target)
fp = os.popen( cmd, "r" )
for line in fp:
  if (', threat="' in line) and (', threat="", ' not in line) and ('", threat="is OK", ' not in line):
    print parse( line )
fp.close()

if found:
  log = open( "/tmp/scep-wrapper.log", "a+" )
  log.write( str( now ) + ' found ' + str( found ) + '\n' )
  log.close()

#sys.exit( ret )
sys.exit( 0 )

More information about the MailScanner mailing list