[Mimedefang] Patch for Kaspersky 5 kavscanner support

Herbert Straub herbert at linuxhacker.at
Thu Jul 8 18:06:46 EDT 2004 

Hallo,

we working with Kaspersky Antivirus version 5.0 and using
/opt/kav/bin/kavscanner. The kavscanner V5.0 using other return codes, then the
old kavscanner, therefore I am creating three subroutines
entity_contains_virus_kavscanner5, message_contains_virus_kavscanner5 and
interpret_kavscanner5_code and a modified initialize_virus_scanner_routines.

The kavscanner component return codes (from the manual):
During its work, the kavscanner component can return the following codes:
0          No viruses were detected.
5          All the infected objects were cleaned.
10         Password-protected archives were detected.
15         Corrupted files were detected.
20         Suspicious files were detected.
21         Files with code similar to that of known viruses were detected.
25         Infected files were detected.
30         System error during file scanning.
50         Unable to load the anti-virus database (the path specified in the
           configuration file was not found).
55         Anti-virus database corrupted.
60         The date of the anti-virus database is beyond the license key
           expiration period.
64         The license information is missing or no license key was found at
the
           path specified in the configuration file.
65         Unable to load the configuration file.
70         The kavscanner component is corrupted.


And the patch:


--- /root/mimedefang.pl.ORIG	2004-07-08 23:28:21.282620168 +0200
+++ /usr/bin/mimedefang.pl	2004-07-08 23:41:46.045277648 +0200
@@ -91,6 +91,7 @@
 
 $Features{'Virus:AVP'}      = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);
 $Features{'Virus:AVP5'}      = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);
+$Features{'Virus:kavscanner5'}      = ('/bin/false' ne '/bin/false' ?
'/bin/false' : 0);
 $Features{'Virus:CLAMAV'}   = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);
 $Features{'Virus:CLAMD'}    = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);
 $Features{'Virus:FPROT'}    = ('/bin/false' ne '/bin/false' ? '/bin/false' :
0);
@@ -114,6 +115,14 @@
 $Features{'Path:SPOOLDIR'}  = '/var/spool/MIMEDefang';
 $Features{'Path:CONFDIR'}   = '/etc/mail';
 
+# Herbert Straub
+$Features{'Virus:kavscanner5'} = '/opt/kav/bin/kavscanner';
+# $Features{'Virus:CLAMD'} = '/usr/bin/clamdscan';
+$Features{"SpamAssassin"} = 0;
+$Features{"Unix::Syslog"} = 0;
+# Herbert Straub
+
+
 sub rfc2822_date();
 sub header_timezone($);
 
@@ -3461,6 +3470,103 @@
 }
 
 #***********************************************************************
+# %PROCEDURE: entity_contains_virus_kavscanner5
+# %ARGUMENTS:
+#  entity -- a MIME entity
+# %RETURNS:
+#  1 if entity contains a virus as reported by Kaspersky 5.x
+# %DESCRIPTION:
+#  Runs the Kaspersky 5.x kavscanner program on the entity.
+#***********************************************************************
+sub entity_contains_virus_kavscanner5 ($) {
+    unless ($Features{'Virus:kavscanner5'}) {
+	md_syslog('err', "$MsgID: Kaspersky kavscanner5 not installed on this
system");
+	return (wantarray ? (1, 'not-installed', 'tempfail') : 1);
+    }
+
+    my($entity) = @_;
+    my($body) = $entity->bodyhandle;
+
+    if (!defined($body)) {
+	return (wantarray ? (0, 'ok', 'ok') : 0);
+    }
+
+    # Get filename
+    my($path) = $body->path;
+    if (!defined($path)) {
+	return (wantarray ? (999, 'swerr', 'tempfail') : 1);
+    }
+
+    # Run kavscanner5
+    my($code, $category, $action) =
run_virus_scanner($Features{'Virus:kavscanner5'} . " -q -o  $CWD/DAEMON.RPT
$path 2>&1","INFECTED");
+
+    if ($action ne 'proceed') {
+	return (wantarray ? ($code, $category, $action) : $code);
+    }
+    return (wantarray ? interpret_kavscanner5_code($code) : $code);
+}
+
+#***********************************************************************
+# %PROCEDURE: message_contains_virus_kavscanner5
+# %ARGUMENTS:
+#  Nothing
+# %RETURNS:
+#  1 if any file in the working directory contains a virus
+# %DESCRIPTION:
+#  Runs the Kaspersky 5.x kavscanner5 program on the working directory
+#***********************************************************************
+sub message_contains_virus_kavscanner5 () {
+    unless ($Features{'Virus:kavscanner5'}) {
+	md_syslog('err', "$MsgID: Kaspersky kavscanner5 not installed on this
system");
+	return (wantarray ? (1, 'not-installed', 'tempfail') : 1);
+    }
+
+    # Run kavscanner5
+    my($code, $category, $action) =
run_virus_scanner($Features{'Virus:kavscanner5'} . " -q -o $CWD/DAEMON.RPT
$CWD/Work/* 2>&1","INFECTED");
+
+    if ($action ne 'proceed') {
+	return (wantarray ? ($code, $category, $action) : $code);
+    }
+    return (wantarray ? interpret_kavscanner5_code($code) : $code);
+}
+
+sub interpret_kavscanner5_code ($) {
+    my($code) = @_;
+    # From info obtained from:
+    # man kavscanner (/opt/kav/man/kavscanner.8)
+
+    # OK
+    return ($code, 'ok', 'ok') if ($code == 0);
+
+    # infected=25
+    if ($code == 25) {
+        $VirusName = $1
+            if ($CurrentVirusScannerMessage =~ m/INFECTED (\S+)/);
+        $VirusName = "unknown-AVP5-virus" if $VirusName eq "";
+        return ($code, 'virus', 'quarantine');
+    }
+
+    # "suspicious" object found=20 or
+    # Files with code similar to that of known viruses were detected=21
+    if ($code == 20 or $code == 21) {
+        $VirusName = 'suspicious';
+        return ($code, 'suspicious', 'quarantine');
+    }
+
+    # cleaned=5
+    return ($code, 'ok', 'ok') if ($code == 5);
+
+    # Corrupt objects found -- treat as suspicious
+    if ($code == 15) {
+        $VirusName = 'suspicious';
+        return ($code, 'suspicious', 'quarantine');
+    }
+
+    # Anything else shouldn't happen
+    return ($code, 'swerr', 'tempfail');
+}
+
+#***********************************************************************
 # %PROCEDURE: entity_contains_virus_avp
 # %ARGUMENTS:
 #  entity -- a MIME entity
@@ -6149,6 +6255,11 @@
 	push @VirusScannerEntityRoutines, \&entity_contains_virus_avp5;
     }
 
+    if ($Features{'Virus:kavscanner5'}) {
+	push @VirusScannerMessageRoutines, \&message_contains_virus_kavscanner5;
+	push @VirusScannerEntityRoutines, \&entity_contains_virus_kavscanner5;
+    }
+
     if ($Features{'Virus:OpenAV'}) {
 	push @VirusScannerMessageRoutines, \&message_contains_virus_openantivirus;
 	push @VirusScannerEntityRoutines, \&entity_contains_virus_openantivirus;





----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the MIMEDefang mailing list