[Mimedefang] Fprotd problems and patch
Steffen Kaiser
skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Wed Oct 19 09:58:31 EDT 2005
Hello,
f-protd (demonized F-Prot) has a quirk.
The scanner returns these result codes:
# 0 Not scanned, unable to handle the object.
# 1 Not scanned due to an I/O error.
# 2 Not scanned, as the scanner ran out of memory.
# 3 X The object is not of a type the scanner knows. This
# may either mean it was misidentified or that it is
# corrupted.
# 4 X The object was valid, but encrypted and could not
# be scanned.
# 5 Scanning of the object was interrupted.
# 7 X The object was identified as an "innocent" object.
# 9 X The object was successfully scanned and nothing was
# found.
# 11 The object is infected.
# 13 The object was disinfected.
Now I found a reason for code #0 not acceptable to be blocked by the
server: The code is triggered by compiled Java classes (*.class).
I have therefore changed the logic of mimedefang.pl in order to assume the
same behaviour of code 0 as code 3 -- corrupt or unknown archive.
Code 3 is also returned by some binary text file, like Word .doc.
Maybe, it would be good to have an user-controlled way to react on the
return codes, because:
- fprotd cannot scan directories awohle, but you have to feed it one file
after another, therefore there is a loop to do so.
- when one item is triggering "not ok" (whatever reason), the loop is
terminated and the non-ok value is returned.
- So when you have one item of code0 (til now it returns "tempfail"),
message_contains_virus() returns (900, "cannot-execute", "tempfail")
If you let it pass, because of code 900 (actually, the code is the scanner
code + 900), there might be some not scanned items, because the loop had
been terminated.
So, I would suggest to revamp all the scanner codes, at least those ones
that recurse the Work directory themselves to:
a) use the same recursion code,&
b) either:
b1) scan all items and score the results, e.g.:
ok -> score 0
suspicious -> score 1
quarantine -> score 10
virus -> score 100
and return the result with the highest score. (Actually one can break when
the maximal score had been found).
b2) Don't score the result by the code in mimedefang.pl at all, but by an
user-supplied function - with defaults, if none is supplied. The easiest
method would be to have a global array - one needs to define such array
for those scanners only, which are installed, hence, there should be no
memory overhead.
b3) Add a "mixed-result" code, which contains all results of all items,
maybe compressed, like return code OK had been found three times,
tempfail, because of code 0 five times a.s.o.
Actually, I'd prefer implementing variant 2, because it might open for a
more generic handling of unknown attachments, e.g. when the virus scanner
returns code 0 (unkown), one could bounce the message with the text
"Invalid attachment, retransmit wrapped up in a ZIP archive".
Well, I do not scan no archives, so they would pass and will be scanned
by the virus scanner on the computer of the recipient, if the sender
retries at all.
Any opinions?
Bye,
--
Steffen Kaiser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fprotd_code0.patch.gz
Type: application/octet-stream
Size: 714 bytes
Desc: F-protd code0 patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20051019/1d99f558/attachment.obj>
More information about the MIMEDefang
mailing list