[Mimedefang] RFC: better virus scanner status reporting?

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Sun Aug 10 03:40:01 EDT 2003

To refresh:

    When a virus scanner is invoked from mimedefang-filter, the return
    value is a three-element list: ($code, $category, $action).

    $code is the actual return code from the virus scanner.

    $category is one of (ok, not-installed, cannot-execute, virus,
    suspicious, interrupted, swerr).

    $action is one of (ok, quarantine, tempfail).

The issue I've encountered is that some conditions can't be adequately
expressed by any of the $category choices.

In particular, running Sophos Sweep on a password-protected ZIP file
will cause sweep to return a non-zero exit code:

    $ sweep -nb -f -all -ss -archive foo.zip; echo $?
    Password protected file foo.zip/foo.txt

What mimedefang returns in this case is (2, 'swerr', 'tempfail').
This is arguably wrong, for two reasons:

    1.  Sweep did *not* experience an internal software error.  It
        behaved as expected: exit status 2 means "some error
        preventing further execution was discovered".  The ZIP file
        may or may not contain a virus; because it is
        password-protected, sweep can't tell for certain.

    2.  Sweep will return the same response every time.  Returning a
        tempfail code (i.e., "try again later") is pointless.

How should this issue be addressed?

Is it worth it to add another $category to express this condition?

    "maybe-ok" - no viruses were detected, but because parts of the
    message could not be scanned, the message could still contain a

Or even more specific:

    "encrypted" - no viruses were detected, but because parts of the
    message were encrypted and thus could not be scanned (e.g., a
    password-protected ZIP file), the message could still contain a
    known virus.

If one or more of the above is added, what should the $action be?
Indicating "quarantine" could delay/reject a perfectly virus-free
message; indicating "ok" could let a message with a known virus

My own thoughts:

    1.  I think adding the "encrypted" $category is worth it.  Yes,
        people can figure this out themselves by looking at $code and
        $VirusScannerMessages, but it would be easier if MIMEDefang
        could save the mimedefang-filter writers the effort.

    2.  Since I know of no current viruses which actually use
        password-protected archive files to transmit themselves, at
        this time, the appropriate $action should be "ok".  If viruses
        start appearing which use password-protected archives files to
        transmit themselves, then this decision can be revisited;
        until then, paranoid admins can choose to ignore $action and
        quarantine based on $category.)

I'd be happy to write the patches to implement #1 and #2 (or any other
reasonable decision, for that matter), and ensure that the status
reporting works properly for Sophos Sweep.

Thoughts?  Comments?  Disagreements?  Better ideas?

James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA

More information about the MIMEDefang mailing list