[Mimedefang] RFC: better virus scanner status reporting?

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Sun Aug 10 03:40:01 EDT 2003 

To refresh:

    When a virus scanner is invoked from mimedefang-filter, the return
    value is a three-element list: ($code, $category, $action).

    $code is the actual return code from the virus scanner.

    $category is one of (ok, not-installed, cannot-execute, virus,
    suspicious, interrupted, swerr).

    $action is one of (ok, quarantine, tempfail).

The issue I've encountered is that some conditions can't be adequately
expressed by any of the $category choices.

In particular, running Sophos Sweep on a password-protected ZIP file
will cause sweep to return a non-zero exit code:

    $ sweep -nb -f -all -ss -archive foo.zip; echo $?
    Password protected file foo.zip/foo.txt
    2

What mimedefang returns in this case is (2, 'swerr', 'tempfail').
This is arguably wrong, for two reasons:

    1.  Sweep did *not* experience an internal software error.  It
        behaved as expected: exit status 2 means "some error
        preventing further execution was discovered".  The ZIP file
        may or may not contain a virus; because it is
        password-protected, sweep can't tell for certain.

    2.  Sweep will return the same response every time.  Returning a
        tempfail code (i.e., "try again later") is pointless.

How should this issue be addressed?

Is it worth it to add another $category to express this condition?
Perhaps:

    "maybe-ok" - no viruses were detected, but because parts of the
    message could not be scanned, the message could still contain a
    virus.

Or even more specific:

    "encrypted" - no viruses were detected, but because parts of the
    message were encrypted and thus could not be scanned (e.g., a
    password-protected ZIP file), the message could still contain a
    known virus.

If one or more of the above is added, what should the $action be?
Indicating "quarantine" could delay/reject a perfectly virus-free
message; indicating "ok" could let a message with a known virus
through.

My own thoughts:

    1.  I think adding the "encrypted" $category is worth it.  Yes,
        people can figure this out themselves by looking at $code and
        $VirusScannerMessages, but it would be easier if MIMEDefang
        could save the mimedefang-filter writers the effort.

    2.  Since I know of no current viruses which actually use
        password-protected archive files to transmit themselves, at
        this time, the appropriate $action should be "ok".  If viruses
        start appearing which use password-protected archives files to
        transmit themselves, then this decision can be revisited;
        until then, paranoid admins can choose to ignore $action and
        quarantine based on $category.)

I'd be happy to write the patches to implement #1 and #2 (or any other
reasonable decision, for that matter), and ensure that the status
reporting works properly for Sophos Sweep.

Thoughts?  Comments?  Disagreements?  Better ideas?

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA

More information about the MIMEDefang mailing list