[Mimedefang] Using more than one virus scanner is a good idea.

Chris Myers chris at by-design.net
Wed Jan 28 21:26:31 EST 2004


----- Original Message ----- 
From: "Kelson Vibber" <kelson at speed.net>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Wednesday, January 28, 2004 11:36 AM
Subject: [Mimedefang] Using more than one virus scanner is a good idea.


> Mydoom/Novarg/Worm.SCO seems to be really persistent.  Despite using both
> ClamAV and manual checking (for known filenames or zips with the
particular
> file size), one copy actually got through to my inbox this morning where
it
> was caught by Norton Antivirus.  (Not that I would have opened it, of
> course!)  Now that File::Scan detects it, I'm still seeing a lot of copies
> slipping past it and getting caught by Clam.
>
> So I'd definitely recommend using more than one virus scanner when
possible!

Here are replacements for message_contains_virus and entity_contains_virus
that use all available virus scanners (and an example of using clamd but not
clamav when
both are available).  Instead of using only the first available scanner,
these new routines try the available scanners in turn, until one of them
finds a virus or all of the scanners have been tried.

--- CUT HERE ---

# Scan for a virus using all of the (distinct) virus scanners we have
available
sub message_contains_virus () {
   my @scanners;

   push @scanners, \&message_contains_virus_avpi  if
($Features{'Virus:AVP'});
   push @scanners, \&message_contains_virus_fprot if
($Features{'Virus:FPROT'});
   push @scanners, \&message_contains_virus_fsav if
($Features{'Virus:FSAV'});
   push @scanners, \&message_contains_virus_hbedv if
($Features{'Virus:HBEDV'});
   push @scanners, \&message_contains_virus_nai if ($Features{'Virus:NAI'});
   push @scanners, \&message_contains_virus_rav if ($Features{'Virus:RAV'});
   push @scanners, \&message_contains_virus_nvcc if
($Features{'Virus:NVCC'});
   push @scanners, \&message_contains_virus_sophie if
($Features{'Virus:SOPHIE'});
   push @scanners, \&message_contains_virus_trophie if
($Features{'Virus:TROPHIE'});
   push @scanners, \&message_contains_virus_sophos if
($Features{'Virus:SOPHOS'});
   push @scanners, \&message_contains_virus_trend if
($Features{'Virus:TREND'});
   push @scanners, \&message_contains_virus_filescan if
($Features{'Virus:FileScan'});
   push @scanners, \&message_contains_virus_clamd if
($Features{'Virus:CLAMD'});
   push @scanners, \&message_contains_virus_clamav if
(!$Features{'Virus:CLAMD'} && $Features{'Virus:CLAMAV'});

   foreach my $scanner ( @scanners ) {
      my ($code, $category, $action) = &$scanner();
      if ( $category eq "virus" || $category eq "suspicious" ) {
         return ( wantarray ? ($code, $category, $action) : 0 )
      }
   }
   return (wantarray ? (0, 'ok', 'ok') : 0);
}

# Scan for a virus using all of the (distinct) virus scanners we have
available
sub entity_contains_virus ($) {
   my ($e) = @_;
   my @scanners;

   push @scanners, \&entity_contains_virus_avpi  if
($Features{'Virus:AVP'});
   push @scanners, \&entity_contains_virus_fprot if
($Features{'Virus:FPROT'});
   push @scanners, \&entity_contains_virus_fsav if
($Features{'Virus:FSAV'});
   push @scanners, \&entity_contains_virus_hbedv if
($Features{'Virus:HBEDV'});
   push @scanners, \&entity_contains_virus_nai if ($Features{'Virus:NAI'});
   push @scanners, \&entity_contains_virus_rav if ($Features{'Virus:RAV'});
   push @scanners, \&entity_contains_virus_nvcc if
($Features{'Virus:NVCC'});
   push @scanners, \&entity_contains_virus_sophie if
($Features{'Virus:SOPHIE'});
   push @scanners, \&entity_contains_virus_trophie if
($Features{'Virus:TROPHIE'});
   push @scanners, \&entity_contains_virus_sophos if
($Features{'Virus:SOPHOS'});
   push @scanners, \&entity_contains_virus_trend if
($Features{'Virus:TREND'});
   push @scanners, \&entity_contains_virus_filescan if
($Features{'Virus:FileScan'});
   push @scanners, \&entity_contains_virus_clamd if
($Features{'Virus:CLAMD'});
   push @scanners, \&entity_contains_virus_clamav if
(!$Features{'Virus:CLAMD'} && $Features{'Virus:CLAMAV'});

   foreach my $scanner ( @scanners ) {
      my ($code, $category, $action) = &$scanner($e);
      if ( $category eq "virus" || $category eq "suspicious" ) {
         return ( wantarray ? ($code, $category, $action) : 0 )
      }
   }
   return (wantarray ? (0, 'ok', 'ok') : 0);
}

--- CUT HERE ---

Chris Myers
Networks By Design




More information about the MIMEDefang mailing list