[Mimedefang] RFC: better virus scanner status reporting?
James Ralston
qralston+ml.mimedefang at andrew.cmu.edu
Sun Aug 10 03:40:01 EDT 2003
To refresh:
When a virus scanner is invoked from mimedefang-filter, the return
value is a three-element list: ($code, $category, $action).
$code is the actual return code from the virus scanner.
$category is one of (ok, not-installed, cannot-execute, virus,
suspicious, interrupted, swerr).
$action is one of (ok, quarantine, tempfail).
The issue I've encountered is that some conditions can't be adequately
expressed by any of the $category choices.
In particular, running Sophos Sweep on a password-protected ZIP file
will cause sweep to return a non-zero exit code:
$ sweep -nb -f -all -ss -archive foo.zip; echo $?
Password protected file foo.zip/foo.txt
2
What mimedefang returns in this case is (2, 'swerr', 'tempfail').
This is arguably wrong, for two reasons:
1. Sweep did *not* experience an internal software error. It
behaved as expected: exit status 2 means "some error
preventing further execution was discovered". The ZIP file
may or may not contain a virus; because it is
password-protected, sweep can't tell for certain.
2. Sweep will return the same response every time. Returning a
tempfail code (i.e., "try again later") is pointless.
How should this issue be addressed?
Is it worth it to add another $category to express this condition?
Perhaps:
"maybe-ok" - no viruses were detected, but because parts of the
message could not be scanned, the message could still contain a
virus.
Or even more specific:
"encrypted" - no viruses were detected, but because parts of the
message were encrypted and thus could not be scanned (e.g., a
password-protected ZIP file), the message could still contain a
known virus.
If one or more of the above is added, what should the $action be?
Indicating "quarantine" could delay/reject a perfectly virus-free
message; indicating "ok" could let a message with a known virus
through.
My own thoughts:
1. I think adding the "encrypted" $category is worth it. Yes,
people can figure this out themselves by looking at $code and
$VirusScannerMessages, but it would be easier if MIMEDefang
could save the mimedefang-filter writers the effort.
2. Since I know of no current viruses which actually use
password-protected archive files to transmit themselves, at
this time, the appropriate $action should be "ok". If viruses
start appearing which use password-protected archives files to
transmit themselves, then this decision can be revisited;
until then, paranoid admins can choose to ignore $action and
quarantine based on $category.)
I'd be happy to write the patches to implement #1 and #2 (or any other
reasonable decision, for that matter), and ensure that the status
reporting works properly for Sophos Sweep.
Thoughts? Comments? Disagreements? Better ideas?
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
More information about the MIMEDefang
mailing list