[Mimedefang] Reporting Encrypted-ZIP-files w/ vexira

Cormack, Ken kcormack at acs.roadway.com
Thu Mar 11 12:35:03 EST 2004 

Group,

I'd like to have encrypted zip files logged as such, rather than have them
logged as "unknown-Vexira-virus".

In my mimedefang.pl, I use the following commandline parameters for Vexira.

	--allfiles --alltypes --warnings-as-alerts -z -rs

Running that commandline against my test zip, I use the following:
	vexira --allfiles --alltypes --warnings-as-alerts -z -rs
testfile.zip

This generates the output below.  I'd like to be able to key on the words
"contents encrypted" and report the file as "Encrypted-ZIP-file", rather
than "unknown-Vexira-virus".  The change would need to go in sub
interpret_vexira_code ($), but I'm not sure of the syntax needed.  My
attempt shown commented below, doesnt work.  Any ideas?

sub interpret_vexira_code ($) {
    # Based on info from Nels Lindquist
    # Based on code from H+BEDV AntiVir
    my($code) = @_;

    # OK
    return ($code, 'ok', 'ok') if ($code == 0);

    # Virus or virus in memory
    if ($code == 1 or $code == 2) {
        $VirusName = $1 if ($CurrentVirusScannerMessage =~ m/ALERT: \[(\S+)/
or
                            $CurrentVirusScannerMessage =~ /!Virus! \S+
(\S+)/ or
                            $CurrentVirusScannerMessage =~ m/VIRUS: file
contains code of the virus '(\S+)'/);
#       $VirusName = "Encrypted-ZIP-file" if ($$CurrentVirusScannerMessage
=~ m/contents encrypted/);
        $VirusName = "unknown-Vexira-virus" if $VirusName eq "";
        return ($code, 'virus', 'quarantine');
    }

    # All other codes should not happen
    return ($code, 'swerr', 'tempfail');
}

Here's the output from Vexira, that I'm trying to key off of.

Vexira Antivirus / Linux Version 2.2.0-9
Copyright (C) 2002-2004 Central Command, Inc. and/or its suppliers.
Portions copyright (C) 1996-2004 H+BEDV Datentechnik GmbH.
All rights reserved.

Loading /usr/lib/Vexira/vexira.vdf ...


VDF version: 6.24.0.51 created 11 Mar 2004


Vexira Antivirus license: 2003000000 for ACS, Inc. Procurement Division PO
8442805                                          

WARNING: testfile.zip archive not completely scanned: contents encrypted

 

----- scan results -----

 directories:        0

       files:        1

      alerts:        0

    warnings:        1

   scan time: 00:00:01

------------------------

Thank you for using Vexira Antivirus!

KEN CORMACK, RHCE
Sr. UNIX Systems Analyst,
    Open Systems Group
Sr. Software Analyst,
    TSG Midrange Systems Group
AFFILIATED COMPUTER SERVICES, INC.

More information about the MIMEDefang mailing list