Generic virus scanner

Pascal Maes pascal.maes at uclouvain.be
Tue May 24 16:50:16 UTC 2016


> Le 24 mai 2016 à 17:27, Mark Sapiro <mark at msapiro.net> a écrit :
> 
> On 05/23/2016 11:36 PM, Pascal Maes wrote:
>> 
>> MailScanner Version 4.85.2-3
>> 
>> We havre written our own generic virus scanner to check the macros included in some Office documents.
>> 
>> We use the "generic-wrapper" but it doesn't work as in SweepViruses.pm we found the line
> ...
>> So should we choose another name that "generic-wrapper" ?
> 
> 
> Yes. generic-(autoupdate|wrapper) are intended as example skeletons from
> which to make your own, so name it something else, maybe local-wrapper
> or officemacro-wrapper or whatever you want other than generic or none.
> 

But if we named it olevba


extract of virus.scanners.conf

generic		/usr/share/MailScanner/generic-wrapper	/
olevba	 	/usr/share/MailScanner/olevba-wrapper 	/usr/local/scripts/oletools 



we have


# MailScanner --lint
Trying to setlogsock(unix)

Reading configuration file /etc/MailScanner/MailScanner.conf
Reading configuration file /etc/MailScanner/conf.d/README
Read 501 hostnames from the phishing whitelist
Read 15526 hostnames from the phishing blacklists
Config: calling custom init function CheckSMTPAuth

Checking version numbers...
Version number in MailScanner.conf (4.85.2) is correct.

Your envelope_sender_header in spam.assassin.prefs.conf is correct.
MailScanner setting GID to  (117)
MailScanner setting UID to  (111)

Checking for SpamAssassin errors (if you use it)...
Using SpamAssassin results cache
Connected to SpamAssassin cache database
each on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 353.
keys on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 377.
keys on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 406.
SpamAssassin reported no errors.
Using locktype = posix
MailScanner.conf says "Virus Scanners = olevba sophos clamd"


 avast vexira sophossavi f-prot-6 inoculate esets clamavmodule kaspersky drweb nod32 clamav f-protd-6 none f-secure etrust mcafee antivir symscanengine bitdefender norman panda css command vba32 nod32-1.99 clamd f-prot generic trend sophos kavdaemonclient inoculan avastd rav avg mcafee6 kaspersky-4.5 

 /usr/share/MailScanner/avast-wrapper /usr -IsItInstalled gave: "1"
/usr/share/MailScanner/vexira-wrapper /usr/local/vexira -IsItInstalled gave: "1"
/bin/false /tmp -IsItInstalled gave: "1"
/usr/share/MailScanner/f-prot-6-wrapper /opt/f-prot -IsItInstalled gave: "1"
/usr/share/MailScanner/inoculate-wrapper /usr/local/av -IsItInstalled gave: "1"
/usr/share/MailScanner/esets-wrapper /usr/sbin -IsItInstalled gave: "1"
/bin/false /tmp -IsItInstalled gave: "1"
/usr/share/MailScanner/kaspersky-wrapper /opt/AVP -IsItInstalled gave: "1"
/usr/share/MailScanner/drweb-wrapper /opt/drweb -IsItInstalled gave: "1"
/usr/share/MailScanner/nod32-wrapper /usr/local/nod32 -IsItInstalled gave: "1"
/usr/share/MailScanner/clamav-wrapper /usr/local -IsItInstalled gave: "0"
/bin/false /opt/f-prot -IsItInstalled gave: "1"
/usr/share/MailScanner/f-secure-wrapper /opt/f-secure/fsav -IsItInstalled gave: "1"
/usr/share/MailScanner/etrust-wrapper /opt/eTrustAntivirus -IsItInstalled gave: "1"
/usr/share/MailScanner/mcafee-wrapper /usr/local/uvscan -IsItInstalled gave: "1"
/usr/share/MailScanner/antivir-wrapper /usr/lib/AntiVir -IsItInstalled gave: "1"
/usr/share/MailScanner/symscanengine-wrapper /opt/SYMCScan -IsItInstalled gave: "1"
/usr/share/MailScanner/bitdefender-wrapper /opt/bdc -IsItInstalled gave: "1"
/usr/share/MailScanner/norman-wrapper /usr/bin -IsItInstalled gave: "1"
/usr/share/MailScanner/panda-wrapper /usr -IsItInstalled gave: "1"
/usr/share/MailScanner/css-wrapper /opt/SYMCScan -IsItInstalled gave: "1"
/usr/share/MailScanner/command-wrapper /usr -IsItInstalled gave: "1"
/usr/share/MailScanner/vba32-wrapper /opt/vba/vbacl -IsItInstalled gave: "1"
/usr/share/MailScanner/nod32-wrapper /usr/sbin -IsItInstalled gave: "1"
/bin/false /usr/local -IsItInstalled gave: "1"
/usr/share/MailScanner/f-prot-wrapper /usr/local/f-prot -IsItInstalled gave: "1"
/usr/share/MailScanner/generic-wrapper / -IsItInstalled gave: "0"
/usr/share/MailScanner/trend-wrapper /pack/trend -IsItInstalled gave: "1"
/usr/share/MailScanner/sophos-wrapper /opt/sophos-av -IsItInstalled gave: "0"
/usr/share/MailScanner/kavdaemonclient-wrapper /usr/local -IsItInstalled gave: "1"
/usr/share/MailScanner/inoculan-wrapper /usr/local/inoculan -IsItInstalled gave: "1"
/usr/share/MailScanner/avastd-wrapper /usr -IsItInstalled gave: "1"
/usr/share/MailScanner/rav-wrapper /usr/local/rav8 -IsItInstalled gave: "1"
/usr/share/MailScanner/avg-wrapper /usr/local -IsItInstalled gave: "1"
/usr/share/MailScanner/mcafee6-wrapper /usr/local/uvscan -IsItInstalled gave: "1"
/usr/share/MailScanner/kaspersky-wrapper /opt/kav -IsItInstalled gave: "1"
Found these virus scanners installed: clamd, generic, sophos
===========================================================================
Filename Checks: Windows/DOS Executable (1 eicar.com)
Other Checks: Found 1 problems
Virus and Content Scanning: Starting
>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
Virus Scanning: Sophos found 1 infections
Clamd::INFECTED::Eicar-Test-Signature :: ./1/
Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
Virus Scanning: Clamd found 2 infections
Infected message 1 came from 10.1.1.1
Virus Scanning: Found 3 viruses
===========================================================================
Virus Scanner test reports:
Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"
Clamd said "eicar.com was infected: Eicar-Test-Signature"

If any of your virus scanners (clamd,generic,sophos)
are not listed there, you should check that they are installed correctly
and that MailScanner is finding them correctly via its virus.scanners.conf.
Config: calling custom end function CheckSMTPAuth


Our script gives :

# /usr/share/MailScanner/olevba-wrapper /usr/local/scripts/oletools tt.docm 
ERROR::Macros Office Suspectes (S 13)::./tt.docm

-- 
Pascal






More information about the MailScanner mailing list