[Mimedefang] avp5 return code problem
Greg Miller
gmiller at richmond.edu
Mon Dec 20 10:31:00 EST 2004
Some time ago there was discussion on the list related to an issue with
the avp5 virus scanner return code. When given a list of files to scan,
aveclient will return the code for the last file scanned. Clearly, this
is unsatisfactory. If the last file scanned is OK, but another file
scanned is INFECTED, then an OK result is returned.
At first glance, it seemed that invoking the virus scanner to scan just
INPUTMBOX, and not the entire Work directory would be a solution. For
example:
OLD
my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/* 2>&1","INFECTED");
NEW
my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/INPUTMBOX 2>&1","INFECTED");
However, this solution creates another problem. In parsing through the
MIME contained in the INPUTMBOX file, aveserver sometimes fails to
detect an infection that would have been discovered if it had scanned
the individual files in the Work directory. This is likely a Kaspersky bug.
So, I decided to modify mimedefang.pl so that it would capture all of
stdout/stderr from aveclient and then examine this output in addition to
examining the return code. So far, this has been successful. I have not
detected any infections slipping through to my secondary virus scanner
on another server.
Comments appreciated. The patch against 2.49 is below:
--- mimedefang.pl 2004-12-20 10:14:23.000000000 -0500
+++ /usr/local/bin/mimedefang.pl 2004-12-20 10:11:10.000000000 -0500
@@ -3791,12 +3791,14 @@
}
# Run aveclient
- my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$path 2>&1","INFECTED");
+ my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$path 2>&1");
if ($action ne 'proceed') {
return (wantarray ? ($code, $category, $action) : $code);
}
- return (wantarray ? interpret_avp5_code($code) : $code);
+ # avp5 return code can be 0 in some cases when unknown/suspicious
content is found
+ # check scanner output in addition to return code
+ return (wantarray ? interpret_avp5_output($code) : $code);
}
#***********************************************************************
@@ -3815,11 +3817,34 @@
}
# Run aveclient
- my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/* 2>&1","INFECTED");
+ my($code, $category, $action) =
run_virus_scanner($Features{'Virus:AVP5'} . " -s -p /var/run/aveserver
$CWD/Work/* 2>&1");
if ($action ne 'proceed') {
return (wantarray ? ($code, $category, $action) : $code);
}
+
+ # avp5 return code can be 0 in some cases when unknown/suspicious
content is found
+ # check scanner output in addition to return code
+ return (wantarray ? interpret_avp5_output($code) : $code);
+}
+
+sub interpret_avp5_output ($) {
+ my($code) = @_;
+ if ($CurrentVirusScannerMessage =~ m/INFECTED (\S+)/){
+ $VirusName = $1;
+ $VirusName = "unknown-AVP5-virus" if $VirusName eq "";
+ return ($code, 'virus', 'quarantine');
+ }
+ if ($CurrentVirusScannerMessage =~ m/UNKNOWN/){
+ $VirusName = "unknown-AVP5-virus";
+ return ($code, 'unknown', 'quarantine');
+ }
+ if ($CurrentVirusScannerMessage =~ m/SUSPICION/){
+ $VirusName = 'suspicious';
+ return ($code, 'suspicious', 'quarantine');
+ }
+
+ # Checked special cases, now let interpret_avp5_code do its job
return (wantarray ? interpret_avp5_code($code) : $code);
}
--
Greg Miller, RHCE, CCNA, MCSE
Senior Network Specialist
University of Richmond
gmiller at richmond.edu
(804) 289-8546
More information about the MIMEDefang
mailing list