<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV><FONT face=Arial color=#0000ff size=2></FONT> </DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
mailscanner-bounces@lists.mailscanner.info
[mailto:mailscanner-bounces@lists.mailscanner.info] <B>On Behalf Of </B>Julian
Field<BR><B>Sent:</B> Monday, June 11, 2007 10:13 AM<BR><B>To:</B> MailScanner
discussion<BR><B>Subject:</B> Re: AVG Antivirus scanner
problem<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>Can you send me a single patch including all your proposed changes (patch
against the SweepViruses.pm including the patch I posted last night) so I can
see what you're doing. And don't forget to quotemeta the $Report before you //
for it!<BR><SPAN class=000410717-11062007><FONT face=Arial color=#0000ff
size=2>[Rick Cooper] </FONT></SPAN></DIV>
<DIV><SPAN class=000410717-11062007></SPAN> </DIV>
<DIV><SPAN class=000410717-11062007><FONT face=Arial color=#0000ff size=2>I
can and I did (forget to quotemeta). I was getting ready to make the
patch and it occured to me that current avgscan supports trapping password
protected files in archives. Should that be enabled depending on the
setting for "Allow Password-Protected Archives"? If so the scanner
options need changing and the parser needs to be updated to catch the
"Contains password-protected files"</FONT> <FONT face=Arial color=#0000ff
size=2>string. Or would you prefer to catch them in the upack function only
and not bother with the scanner(s) checking as well?</FONT></SPAN><BR><BR>Rick
Cooper wrote: </DIV>
<BLOCKQUOTE cite=mid:0d1a01c7ac2d$aaf6b830$0301a8c0@SAHOMELT type="cite">
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">From: <A class=moz-txt-link-abbreviated href="mailto:mailscanner-bounces@lists.mailscanner.info">mailscanner-bounces@lists.mailscanner.info</A>
[<A class=moz-txt-link-freetext href="mailto:mailscanner-bounces@lists.mailscanner.info">mailto:mailscanner-bounces@lists.mailscanner.info</A>] On Behalf Of Rick
Cooper Sent: Sunday, June 10, 2007 1:56 PM To: 'MailScanner
discussion' Subject: RE: AVG Antivirus scanner problem
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">There was also an issue with the correct parsing of the virus if IIRC
and the logout line was very unfriendly to MailWatch.
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">I added $line =~ s/^(.+)(?:\s{1,}\(.+\))$/$1/; below $line =~
s/[\r\n]//g; to remove the new(?) (+2) junk at the end of found lines
I changed my $virus = $1; to my $virus = $line; and added $virus =~
s/^.+\s+(.+?)$/$1/; because all of my log lines showed virus to be
blank (found virus in file), and I also modifed the logout
information to
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">my $logout = $line; $logout =~ s/\s{2,}/ /gs; $logout =~ s/:./->/;
$logout =~ /^.+\/(.+?)\s{1,}(.+)\s{0,}$/; MailScanner::Log::InfoLog
("Avg: %s in %s", $2,$1);
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">so it would be easy for MailWatch to get the virus and file name
(seemed to be backward from the regex I think).
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">That brings me to a question I was going to ask next week. How about
standardizing the virus found log messages? I look through the
MailWatch code and every time something is added to MailScanner they
would have to re-write the section that handles logging the virus and
filename regex. If there was a standard logout put such as
Scanner::ScannerName VIRUS_NAME Found In FILE_NAME then MailWatch
(and other utlities) could easily parse the scanner, the virus name
and the file.
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">The MailWatch clamd, avg and panda support all need updated.
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">What do you think?
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
</PRE>
<BLOCKQUOTE type="cite">
<BLOCKQUOTE type="cite"><PRE wrap="">Rick
</PRE></BLOCKQUOTE></BLOCKQUOTE><PRE wrap=""><!---->
There was something else I noticed. If you have the same file in two
archives
(I believe that was the trigger) MailScanner repeated the report so you got
a
report something like
Scanner AVG: test_eicar_file was found in test.rar
test_eircar_file was found in test.rar
So also made the following change:
$part =~ s/\t.*$//;
$part =~ s/=\>.*$//;
#print STDERR "id:$id:part = $part\n";
#print STDERR "$Name : Found virus $virus in file $part ID:$id\n";
- $infections->{$id}{$part} .= $Name . ': ' if $Name;
- $infections->{$id}{$part} .= "Found virus $virus in file $part\n";
- $types->{$id}{$part} .= "v"; # so we know what to tell sender
+ # If avg finds both the archive and file to be infected and the file
+ # exists in more than one (because of SafeName) archive the archive is
+ # reported twice so check and make sure the archive is only reported once
+ my $Report = $Name . ': ' if $Name;
+ $Report .= "Found virus $virus in file $part";
+ $infections->{$id}{$part} .= "$Report\n" unless $infections->{$id}{$part}
=~ /$Report/si;
+ $types->{$id}{$part} .= "v" unless $types->{$id}{$part}; # so we
know what to tell sender
[...]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
</PRE></BLOCKQUOTE><BR><PRE class=moz-signature cols="72">Jules
--
Julian Field MEng CITP
<A class=moz-txt-link-abbreviated href="http://www.MailScanner.info">www.MailScanner.info</A>
Buy the MailScanner book at <A class=moz-txt-link-abbreviated href="http://www.MailScanner.info/store">www.MailScanner.info/store</A>
MailScanner customisation, or any advanced system administration help?
Contact me at <A class=moz-txt-link-abbreviated href="mailto:Jules@Jules.FM">Jules@Jules.FM</A>
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
For all your IT requirements visit <A class=moz-txt-link-abbreviated href="http://www.transtec.co.uk">www.transtec.co.uk</A>
</PRE></BLOCKQUOTE></BODY><br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</HTML>