[Mimedefang] Status of multiple AV scan in v2.39
Lucas Albers
albersl at cs.montana.edu
Wed Mar 3 12:54:17 EST 2004
David F. Skoll said:
> On Wed, 3 Mar 2004, Graham Dunn wrote:
>
>> I vaguely remember some mention that this version supported scanning
>> using multiple engines, rather than the "first found" approach.
>
> No; the latest beta has it, though.
>
> Regards,
it's easy to setup for earlier versions, just go read the archives.
http://lists.roaringpenguin.com/pipermail/mimedefang/2004-January/019068.html
the pertinent part is:
sub message_contains_virus () {
#return message_contains_virus_carrier_scan() if
($Features{'Virus:SymantecCSS'});
#return (wantarray ? (0, 'ok', 'ok') : 0);
my($code, $cat, $act);
if ($Features{'Virus:FileScan'}) {
#md_syslog('warning', "Running Virus Scanner Filescan");
($code, $cat, $act) = message_contains_virus_filescan();
#action_change_header("X-Virus-Scanned by FileScan");
if ($act ne "ok"){
md_syslog('warning', "Running Virus Scanner Filescan Detected
,$code,$cat,$act ");
}
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{'Virus:CLAMAV'}) {
#md_syslog('warning', "Running Virus Scanner CLAMAV");
($code, $cat, $act) = message_contains_virus_clamav();
#action_change_header("X-Virus-Scanned by CLAMAV");
if ($act ne "ok"){
md_syslog('warning', "Running Virus Scanner CLAMAV Detected
$code,$cat,$act");
}
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{'Virus:FPROT'}) {
#md_syslog('warning', "Running Virus Scanner FPROT");
($code, $cat, $act) = message_contains_virus_fprot();
#action_change_header("X-Virus-Scanned by FPROT");
if ($act ne "ok"){
action_quarantine_entire_message("FPROT DETECTED
VIRUS,$code,$cat,$act");
action_notify_administrator("FPROT Detected $code,$cat,$act.\n");
md_syslog('warning', "Running Virus Scanner FPROT Detected
$code,$cat,$act");
}
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
if ($Features{'Virus:NAI'}) {
#md_syslog('warning', "Running Virus Scanner NAI");
($code, $cat, $act) = message_contains_virus_nai();
#action_change_header("X-Virus-Scanned by NAI");
if ($act ne "ok"){
action_quarantine_entire_message("NAI DETECTED
VIRUS,$code,$cat,$act");
action_notify_administrator("NAI Detected $code,$cat,$act.\n");
md_syslog('warning', "Running Virus Scanner NAI Detected
$code,$cat,$act");
}
return (wantarray ? ($code, $cat, $act) : $code) if $act ne "ok";
}
}
Steps:
1.) modify mimedefnag-filter to have this in it, comment out all
declarations of virus scanners at top of function.
See how all instances of return message_contains_virus* at top of function
are commented out.
add in declarations for virus scanners you want to run.
Declare the virus scanners you have in /usr/bin/mimedefang.pl, basically
you declare the scan and then the path, like such:
This is what I have in /usr/bin/mimedefang.pl
$Features{'Virus:CLAMAV'} = ('/usr/bin/clamdscan');
$Features{'Virus:FPROT'} = ('/usr/local/bin/f-prot');
$Features{'Virus:FileScan'} = $Features{'File::Scan'};
$Features{'Virus:NAI'} = ('/usr/local/sbin/uvscan');
I also do my virus scanner reject in filter_begin, like such:
my($code, $category, $action) = message_contains_virus();
# Lower level of paranoia - only looks for actual viruses
#$FoundVirus = ($category eq "virus");
if (!defined($action)){
$action = "";
}
if (!defined($category)){
$category = "";
}
if ($action eq "virus" || $action eq "quarantine"){
md_log('virus',$VirusName, $RelayAddr);
$exclude_clean=1;
action_quarantine_entire_message("Virus Scanner detected virus");
return action_discard();
}
Test everything!, save all our rejected virus scanner messages for a few
weeks until you are sure you understand how it works, and you don't have a
too paranoid setting.
(Assuming this is a virus scanner deployment.)
--
Luke Computer Science System Administrator
Security Administrator,College of Engineering
Montana State University-Bozeman,Montana
More information about the MIMEDefang
mailing list