Trouble making my own virus scanner

Shawn Iverson iversons at rushville.k12.in.us
Thu Nov 26 11:38:33 UTC 2015


I use SCEP here.  I'll set it up and give it a go with your wrapper.

I know that each scanner has its own code in SweepViruses.pm.  I'm not sure
if the generic scanner is actually doing much.  The "ProcessGenericOutput"
subroutine appears pretty barebones at first glance.



On Wed, Nov 25, 2015 at 1:10 PM, William D. Colburn <wcolburn at nrao.edu>
wrote:

> I'm trying to use MailScanner to scan mail for viruses with Microsoft's
> SCEP.
>
> I updated /etc/MailScanner/virus.scanners.conf to use my own scep wrapper.
> #generic                /usr/share/MailScanner/generic-wrapper  /
> generic         /opt/services/bin/scep-wrapper
> /opt/microsoft/scep
>
> I updated /etc/MailScanner/MailScanner.conf to use both sophos and scep
> Virus Scanners = sophos generic
>
> My wrapper does (mostly) what the documentation in
> /usr/share/MailScanner/generic-wrapper says it should do.  It parses
> -IsItInstalled and returns 0 or 1 depending.  It assumes the last
> argument is the directory to scan (ignoring the possibility of an option
> -disinfect).  It writes to stdout lines that look like
> "INFECTED::virusname::path\n".  It doesn't return the error code from
> the virus scanner, but does return false (!0) if a virus is found, and
> true (0) if no virus is found.
>
> I can see that MailScanner is calling my scanner.  I even get log
> messages about viruses found, including lines such as "Generic found 3
> infections".
>
> Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::
> scep INFECTED::Win32/PSW.Papras.EH
> trojan::./APHKXb9028650/r20150934875878888224005.PDF.exe
> Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::
> scep INFECTED::Win32/PSW.Papras.EH
> trojan::./APHKXb9028650/n201593844371388752253040.rar
> Nov 25 10:21:23 revere MailScanner[12670]: GenericScanner::
> scep INFECTED::Win32/PSW.Papras.EH
> trojan::./APHKXb9028650/n201593844371388752253040.rar >> RAR >>
> 20150934875878888224005.PDF'.exe
> Nov 25 10:21:23 revere MailScanner[12670]: Virus Scanning: Generic found 3
> infections
>
> The actual messages passed on, however, only mention Sophos.  If take
> sophos out of MailScanner.conf the messages are not flagged as virueses.
>
> I didn't change anything in SweepViruses.pm, and I don't see anything from
> reading that file that I'm doing wrong.
>
> Why isn't generic catching my viruses?
>
> --Schlake
>
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
>
>
>


-- 
Shawn Iverson
Director of Technology
Rush County Schools
765-932-3901 x271
iversons at rushville.k12.in.us
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20151126/15b76227/attachment.html>


More information about the MailScanner mailing list