Generic virus scanner

Pascal Maes pascal.maes at uclouvain.be
Tue May 24 16:57:48 UTC 2016


> Le 24 mai 2016 à 18:50, Pascal Maes <pascal.maes at uclouvain.be> a écrit :
> 
> 
>> Le 24 mai 2016 à 17:27, Mark Sapiro <mark at msapiro.net> a écrit :
>> 
>> On 05/23/2016 11:36 PM, Pascal Maes wrote:
>>> 
>>> MailScanner Version 4.85.2-3
>>> 
>>> We havre written our own generic virus scanner to check the macros included in some Office documents.
>>> 
>>> We use the "generic-wrapper" but it doesn't work as in SweepViruses.pm we found the line
>> ...
>>> So should we choose another name that "generic-wrapper" ?
>> 
>> 
>> Yes. generic-(autoupdate|wrapper) are intended as example skeletons from
>> which to make your own, so name it something else, maybe local-wrapper
>> or officemacro-wrapper or whatever you want other than generic or none.
>> 
> 
> But if we named it olevba
> 
> 
> extract of virus.scanners.conf
> 
> generic		/usr/share/MailScanner/generic-wrapper	/
> olevba	 	/usr/share/MailScanner/olevba-wrapper 	/usr/local/scripts/oletools 
> 
> 
> 
> we have
> 
> 
> # MailScanner --lint
> Trying to setlogsock(unix)
> 
> Reading configuration file /etc/MailScanner/MailScanner.conf
> Reading configuration file /etc/MailScanner/conf.d/README
> Read 501 hostnames from the phishing whitelist
> Read 15526 hostnames from the phishing blacklists
> Config: calling custom init function CheckSMTPAuth
> 
> Checking version numbers...
> Version number in MailScanner.conf (4.85.2) is correct.
> 
> Your envelope_sender_header in spam.assassin.prefs.conf is correct.
> MailScanner setting GID to  (117)
> MailScanner setting UID to  (111)
> 
> Checking for SpamAssassin errors (if you use it)...
> Using SpamAssassin results cache
> Connected to SpamAssassin cache database
> each on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 353.
> keys on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 377.
> keys on reference is experimental at /usr/share/perl5/Mail/SpamAssassin/Plugin/URILocalBL.pm line 406.
> SpamAssassin reported no errors.
> Using locktype = posix
> MailScanner.conf says "Virus Scanners = olevba sophos clamd"
> 
> 
> avast vexira sophossavi f-prot-6 inoculate esets clamavmodule kaspersky drweb nod32 clamav f-protd-6 none f-secure etrust mcafee antivir symscanengine bitdefender norman panda css command vba32 nod32-1.99 clamd f-prot generic trend sophos kavdaemonclient inoculan avastd rav avg mcafee6 kaspersky-4.5 
> 
> /usr/share/MailScanner/avast-wrapper /usr -IsItInstalled gave: "1"
> /usr/share/MailScanner/vexira-wrapper /usr/local/vexira -IsItInstalled gave: "1"
> /bin/false /tmp -IsItInstalled gave: "1"
> /usr/share/MailScanner/f-prot-6-wrapper /opt/f-prot -IsItInstalled gave: "1"
> /usr/share/MailScanner/inoculate-wrapper /usr/local/av -IsItInstalled gave: "1"
> /usr/share/MailScanner/esets-wrapper /usr/sbin -IsItInstalled gave: "1"
> /bin/false /tmp -IsItInstalled gave: "1"
> /usr/share/MailScanner/kaspersky-wrapper /opt/AVP -IsItInstalled gave: "1"
> /usr/share/MailScanner/drweb-wrapper /opt/drweb -IsItInstalled gave: "1"
> /usr/share/MailScanner/nod32-wrapper /usr/local/nod32 -IsItInstalled gave: "1"
> /usr/share/MailScanner/clamav-wrapper /usr/local -IsItInstalled gave: "0"
> /bin/false /opt/f-prot -IsItInstalled gave: "1"
> /usr/share/MailScanner/f-secure-wrapper /opt/f-secure/fsav -IsItInstalled gave: "1"
> /usr/share/MailScanner/etrust-wrapper /opt/eTrustAntivirus -IsItInstalled gave: "1"
> /usr/share/MailScanner/mcafee-wrapper /usr/local/uvscan -IsItInstalled gave: "1"
> /usr/share/MailScanner/antivir-wrapper /usr/lib/AntiVir -IsItInstalled gave: "1"
> /usr/share/MailScanner/symscanengine-wrapper /opt/SYMCScan -IsItInstalled gave: "1"
> /usr/share/MailScanner/bitdefender-wrapper /opt/bdc -IsItInstalled gave: "1"
> /usr/share/MailScanner/norman-wrapper /usr/bin -IsItInstalled gave: "1"
> /usr/share/MailScanner/panda-wrapper /usr -IsItInstalled gave: "1"
> /usr/share/MailScanner/css-wrapper /opt/SYMCScan -IsItInstalled gave: "1"
> /usr/share/MailScanner/command-wrapper /usr -IsItInstalled gave: "1"
> /usr/share/MailScanner/vba32-wrapper /opt/vba/vbacl -IsItInstalled gave: "1"
> /usr/share/MailScanner/nod32-wrapper /usr/sbin -IsItInstalled gave: "1"
> /bin/false /usr/local -IsItInstalled gave: "1"
> /usr/share/MailScanner/f-prot-wrapper /usr/local/f-prot -IsItInstalled gave: "1"
> /usr/share/MailScanner/generic-wrapper / -IsItInstalled gave: "0"
> /usr/share/MailScanner/trend-wrapper /pack/trend -IsItInstalled gave: "1"
> /usr/share/MailScanner/sophos-wrapper /opt/sophos-av -IsItInstalled gave: "0"
> /usr/share/MailScanner/kavdaemonclient-wrapper /usr/local -IsItInstalled gave: "1"
> /usr/share/MailScanner/inoculan-wrapper /usr/local/inoculan -IsItInstalled gave: "1"
> /usr/share/MailScanner/avastd-wrapper /usr -IsItInstalled gave: "1"
> /usr/share/MailScanner/rav-wrapper /usr/local/rav8 -IsItInstalled gave: "1"
> /usr/share/MailScanner/avg-wrapper /usr/local -IsItInstalled gave: "1"
> /usr/share/MailScanner/mcafee6-wrapper /usr/local/uvscan -IsItInstalled gave: "1"
> /usr/share/MailScanner/kaspersky-wrapper /opt/kav -IsItInstalled gave: "1"
> Found these virus scanners installed: clamd, generic, sophos
> ===========================================================================
> Filename Checks: Windows/DOS Executable (1 eicar.com)
> Other Checks: Found 1 problems
> Virus and Content Scanning: Starting
>>>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com
> Virus Scanning: Sophos found 1 infections
> Clamd::INFECTED::Eicar-Test-Signature :: ./1/
> Clamd::INFECTED:: Eicar-Test-Signature :: ./1/eicar.com
> Virus Scanning: Clamd found 2 infections
> Infected message 1 came from 10.1.1.1
> Virus Scanning: Found 3 viruses
> ===========================================================================
> Virus Scanner test reports:
> Sophos said ">>> Virus 'EICAR-AV-Test' found in file ./1/eicar.com"
> Clamd said "eicar.com was infected: Eicar-Test-Signature"
> 
> If any of your virus scanners (clamd,generic,sophos)
> are not listed there, you should check that they are installed correctly
> and that MailScanner is finding them correctly via its virus.scanners.conf.
> Config: calling custom end function CheckSMTPAuth
> 
> 
> Our script gives :
> 
> # /usr/share/MailScanner/olevba-wrapper /usr/local/scripts/oletools tt.docm 
> ERROR::Macros Office Suspectes (S 13)::./tt.docm
> 
> -- 
> Pascal
> 
> 
> 
> 
> 
> 
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/listinfo/mailscanner
> 


we have also


# /usr/share/MailScanner/olevba-wrapper /usr/local/scripts/oletools -IsItInstalled
# echo $?
0


but olevba doesn't appear in the list.


Regards,
-- 
Pascal






More information about the MailScanner mailing list