[Mimedefang] Virus Scanner messages

Stephane Lentz Stephane.Lentz at ansf.alcatel.fr
Wed Jul 10 17:04:01 EDT 2002


Hi David, 

the interesting pattern for Trend antivirus is : Found virus

For instance the amavis code to get the virusname based on
the vscan output is : 

# Trend FileScanner/Linux
#

if ($vscan) {
    do_log(2,"Using $vscan");
    chop($output = `$vscan -a $TEMPDIR/parts/*`);
    $errval = retcode($?);
    do_log(2,$output);
    if ($errval == 0) {         # no errors, no viruses found
        $scanner_errors = 0;
    } elsif ($errval == 1 || $errval == 2) { # no errors, viruses
discovered
        $scanner_errors = 0;
        @virusname = ($output =~ /Found virus (.+) in/g);
        @virusname = (undef)  if !@virusname;  # just in case: make list
nonnil
        do_virus();
    } else {
        do_log(0,"Virus scanner failure: $vscan (error code: $errval)");
    }
}


For the newest version you can update the interpret_trend_code function :
instead of
return ($code, 'virus', 'quarantine') if ( ($code == 2) || ($code == 1));
put :
return ($code, 'virus', 'quarantine') if ( ($code == 4) || ($code == 3) || ($code == 2) || ($code == 1) );

I encountered one case where the scanner returned 3 and another when it
was 4. I'm still waiting for a complete list of exit codes from Trend Micro.
If someone else use Trend products, request it (let's put some pressure ...).

regards, 

Stéphane

On Wed, Jul 10, 2002 at 12:28:24PM -0400, David F. Skoll wrote:
> Hi,
> 
> I really want to release 2.16 soon!  So everyone who uses virus-scanners,
> please send me regular expressions which pick out interesting lines
> from the chatter of the scanner output.
> 
> So far, I only have for H+BEDV AntiVir.  Interesting lines match this
> expression: /!Virus!|>>>|VIRUS:/
> 
> Regards,
> 
> David.

---
Stephane Lentz / Alcanet International - Internet Services



More information about the MIMEDefang mailing list