[Mimedefang] BitDefender

Stefan Schoeman stefan at internext.co.za
Fri Aug 29 05:55:01 EDT 2003 

Hello Philip,

Thanks for your thoughts on BDC. Well, I've finally got BDC actually
scanning correctly (from the commandline that is).  I also figured out
that my defang user did not have permissions to access all the BDC data
files, but that was easy to fix. Now, if I run as the defang user, I can
get BDC to execute and identify viruses just fine.

But somehow, when run under MIMEDefang, all the scans come up as clean.
I started messing inside mimedefang.pl just to log what's going on, and
this is what I get when I send a MiMail virus :


Aug 29 11:34:45 safemail mimedefang.pl[30287]: Running File::Scan
Aug 29 11:34:45 safemail mimedefang.pl[30287]: h7T9Yg9Q030308: Bitdefender
STARTED
Aug 29 11:34:45 safemail mimedefang.pl[30287]: run_virus_scanner command :
/usr/local/bin/bdc /var/spool/MIMEDefang/mdefang-h7T9Yg9Q030308/Work --all
--arc --mail 2>&1
Aug 29 11:34:46 safemail mimedefang.pl[30287]: VirusScannerMessage = 
^[[1;36;40mBDC/Linux-Console i386 v6.5.2 (Apr 22 2002 16:20:08) Copyright
(C) 1996-2001 SOFTWIN SRL. All rights reserved.^[[0;37;40m Last updated
Fri Aug 29 00:19:51 2003 CORE v1.0.2 i386 (Apr 19 2002 08:09:17) 
^[[1;37;40m  Results: Folders           :1 Files             :1 Packed    
       :0 Archives          :0 Infected files    :0 Suspect files     :0
Warnings          :0 I/O errors        :0  ^[[0;37;40m^[[0;37;40m
Aug 29 11:34:46 safemail mimedefang.pl[30287]: h7T9Yg9Q030308: Bitdefender
RESULTS : 0

You can see that I extract the actual virus command and then capture the
results from the scanner. But the BDC scanner says all is fine :( Maybe
BDC checks whether it is being run from a terminal and just gives null
results if it is not. A normal scan on a directory containing the same
file gives the following:

defang at safemail:/usr/local/bd7/shared$ bdc . --all --arc --mail
BDC/Linux-Console i386 v6.5.2 (Apr 22 2002 16:20:08)
Copyright (C) 1996-2001 SOFTWIN SRL. All rights reserved.
Last updated Fri Aug 29 00:19:51 2003
CORE v1.0.2 i386 (Apr 19 2002 08:09:17)

/usr/local/bd7/shared/./message.zip=>message.html  infected:
Win32.Mimail.A at mm


Results:
Folders           :2
Files             :90
Packed            :0
Archives          :3
Infected files    :1
Suspect files     :0
Warnings          :0
Identified viruses:1
I/O errors        :2


David, I know this is not your problem, but any suggestions ?


Regards,

Stefan




> Stefan Schoeman wrote:
>> Hi everyone,
>>
>> After seeing support for BitDefender in MD2.36, I thought I'd give it a
>> bash. Downloaded the Linux edition of BitDefender, updated it using bdc
>> --update and then upgraded to MD 2.36. After this I sent a message with
>> the message.zip from W32/MiMail to test. This passed straight through
>> BDC. I know this is not a MimeDefang issue, but is anyone running
>> BitDefender successfully out there, am I missing something or is BDC
>> just a pretty useless virus scanner? At this stage, even File::Scan
>> gives me better results! Which brings me to a quick further question - I
>> see in mimedefang-filter that the first available  virus checker is
>> used. Can anyone provide some advice on how I go about checking through
>> all available Virus Scanners until there is either one found or until
>> there are no more available virus scanners ?
>
> Hi,
>
> I've initially sent the patch for MD for supporting BDC. We weren't
> sure at the beginning wether bcd reports hits via return codes. I've
> checked it, but in my case, bdc _never_ returned codes. David talked
> to the guys at bitdefender who assured him that bdc returns with
> status codes. After that, the support BDC for based on return values
> was added to MD.
>
> I haven't looked at MD 2.36, I'm still using 2.35 with my personal
> patch, so I can't say anything about the new version. You could try
> to use 2.35 and patch it, if you want. It doesn't evalute the return
> codes, instead it checks the output of bdc. It very far from being
> perfect (or usable), the virus name is extracted wrongly, for example.
> I've antivir running, too, since I don't trust only one virus
> scanner... ;)
>
> Btw: the germany computer magazine c't has tested linux virus scanners
> in one of its last edition. Both, antivir and bdc do have worse
> scanning results under linux. Since they're both free and since I
> don't get as many viruses, I don't care. Just to mention.
>
>
> ciao, phb
>
> --
> Philipp Baer <phbaer at npw.net> [http://www.npw.net/]
> Anja Framework: see [http://anja.npw.net/] for details.
> gnupg-fingerprint: 16C7 84E8 5C5F C3D6 A8F1  A4DC E4CB A9A9 F5FA FF5D
>
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list