[Mimedefang] Fprotd problems and patch

Steffen Kaiser skmimedefang at smail.inf.fh-bonn-rhein-sieg.de
Wed Oct 19 09:58:31 EDT 2005


f-protd (demonized F-Prot) has a quirk.

The scanner returns these result codes:

#  0      Not scanned, unable to handle the object.
#  1      Not scanned due to an I/O error.
#  2      Not scanned, as the scanner ran out of memory.
#  3  X   The object is not of a type the scanner knows. This
#         may  either mean it was misidentified or that it is
#         corrupted.
#  4  X   The object was valid, but encrypted and  could  not
#         be scanned.
#  5      Scanning of the object was interrupted.
#  7  X   The  object was identified as an "innocent" object.
#  9  X   The object was successfully scanned and nothing was
#         found.
#  11     The object is infected.
#  13     The object was disinfected.

Now I found a reason for code #0 not acceptable to be blocked by the 
server: The code is triggered by compiled Java classes (*.class).

I have therefore changed the logic of mimedefang.pl in order to assume the 
same behaviour of code 0 as code 3 -- corrupt or unknown archive.
Code 3 is also returned by some binary text file, like Word .doc.

Maybe, it would be good to have an user-controlled way to react on the 
return codes, because:

- fprotd cannot scan directories awohle, but you have to feed it one file 
after another, therefore there is a loop to do so.
- when one item is triggering "not ok" (whatever reason), the loop is 
terminated and the non-ok value is returned.
- So when you have one item of code0 (til now it returns "tempfail"), 
message_contains_virus() returns (900, "cannot-execute", "tempfail")

If you let it pass, because of code 900 (actually, the code is the scanner 
code + 900), there might be some not scanned items, because the loop had 
been terminated.

So, I would suggest to revamp all the scanner codes, at least those ones 
that recurse the Work directory themselves to:

a) use the same recursion code,&
b) either:
b1) scan all items and score the results, e.g.:
ok -> score 0
suspicious -> score 1
quarantine -> score 10
virus -> score 100
and return the result with the highest score. (Actually one can break when 
the maximal score had been found).

b2) Don't score the result by the code in mimedefang.pl at all, but by an 
user-supplied function - with defaults, if none is supplied. The easiest 
method would be to have a global array - one needs to define such array 
for those scanners only, which are installed, hence, there should be no 
memory overhead.

b3) Add a "mixed-result" code, which contains all results of all items, 
maybe compressed, like return code OK had been found three times, 
tempfail, because of code 0 five times a.s.o.

Actually, I'd prefer implementing variant 2, because it might open for a 
more generic handling of unknown attachments, e.g. when the virus scanner 
returns code 0 (unkown), one could bounce the message with the text 
"Invalid attachment, retransmit wrapped up in a ZIP archive".
Well, I do not scan no archives, so they would pass and will be scanned 
by the virus scanner on the computer of the recipient, if the sender 
retries at all.

Any opinions?


Steffen Kaiser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fprotd_code0.patch.gz
Type: application/octet-stream
Size: 714 bytes
Desc: F-protd code0 patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20051019/1d99f558/attachment.obj>

More information about the MIMEDefang mailing list