[Mimedefang] Runtime Virus Scanner Detection

Richard Laager rlaager at wiktel.com
Tue Jun 17 18:32:00 EDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> On Tue, 17 Jun 2003, Richard Laager wrote:
> 
> > I'm just curious, is there a reason that the list of available virus
> > scanners is detected at compile-time instead of at run-time?
> 
> Not a very good reason.  I feel happier doing it at compile time
> so that if (for example) someone sticks a totally-unrelated executable
> named "sweep" in the path, it doesn't get picked up as a 
> virus scanner.
> 
> If you *know* where your scanner lives, you can force a 
> run-time detection
> by doing something like this:
> 
> 	$Features{'Virus:NAI'} = "/full/path/to/uvscan";
> 
> (using NAI's "uvscan" as an example.)
> 
> I much prefer this "manual run-time" configuration to a totally
> automated approach.

I was kinda thinking of a hybrid approach. It would go something like this:

The configure script would have a list of default (full) paths for virus
scanner executables. There would be options to change these paths if your
scanner wasn't in the usual location. (Or, perhaps it would try to detect
the scanner and if it wasn't found, fall back to a default full path.)
Also, there would be options to disable a particular scanner as well, in
case you had it installed but for some reason didn't want to use it. At
run-time then, all that would need to be done is to see if the scanner was
executable. So, in the mimedefang.pl.in file, it would look something like
this (again using NAI for an example):

$Features{'Virus:NAI'} = (-x '@NAI@' ? '@NAI@' : 0);

If that particular virus scanner was disabled, @NAI@ would expand to
nothing and the -x '' would always be false.

> > Furthermore, why aren't message_contains_virus() and
> > entity_contains_virus() part of the MIMEDefang code?
> 
> They should be.  In fact, they used to be, but I took them
> out in favour of specific routines for specific virus scanners.
> 
> > Ideally they would
> > scan using all available virus scanners, not just the first.

I'm thinking the logic would be something like:
1. If any scanner returns $category = "virus", return "virus". The
VirusName, etc. would be from the scanner that first detected the virus.
2. If any scanner returns "quarantine" but none returned "virus", return
"virus". The code, etc. would be from the last scanner that returned
"quarantine".
3. If any scanner returns "tempfail" but none returned "virus" or
"quarantine", return "tempfail". The code, etc. would be from the last
scanner that returned "tempfail".
4. If all scanners return "ok", return "ok".
- - In any case, $VirusScannerMessages would be the concatenation of all the
messages produced by scanners that had run at the point of return.

Also, there would be no reason to run two basically identical scanners
twice. For example, if clamd returns "ok", clamav would as well, so why run
it?

And, of course, if someone wanted to use a specific scanner or two, they
easily could by coding their own routine. :-)

I have the second part implemented now, I just have to test.

Richard Laager

-----BEGIN PGP SIGNATURE-----
Version: 6.5.8ckt http://www.ipgpp.com/

iQA/AwUBPu+We231OrleHxvOEQLjzgCgrAH4Ux+Hs8bQCo/m/qMxXW6i7XYAoJm1
mBiq9bp1DPkSdqLkqYl/paHA
=6C7w
-----END PGP SIGNATURE-----

More information about the MIMEDefang mailing list