[Mimedefang] Nod32 integration on Mimedefang
Matt Selsky
selsky at columbia.edu
Sun Jan 29 17:13:23 EST 2006
> Just a few comments on this since I tried looking into nod32 just a few
> days ago:
>
> Looking at the website, I'd expect version 2.51 to be most current, not
> 1.0.4? On the other hand, trial versions for linux don't seem to be
> freely available any longer.
>
> The manual for 2.5 does list a feature that would make nod32 interesting
> for use in scanning email: there's now a scanner daemon and commandline
> client for the daemon (/usr/sbin/nod32d, /usr/bin/nod32cli).
I wrote a different patch for NOD32 based on the documentation at
http://u4.eset.com/manuals/guide_nod32ls.pdf This patches uses nod32cli
to do the scanning and uses different command-line arguments and return
code parsing from the previously posted patch.
Feedback is welcome.
--
Matt
-------------- next part --------------
diff -ur ../mimedefang-2.55.orig/README ./README
--- ../mimedefang-2.55.orig/README 2005-02-08 11:04:22.000000000 -0500
+++ ./README 2006-01-24 17:13:18.094103000 -0500
@@ -239,6 +239,7 @@
--disable-fprot Do not include support for F-prot Anti-Virus
--disable-sophie Do not include support for Sophie
--disable-nvcc Do not include support for Nvcc
+ --disable-nod32 Do not include support for ESET NOD32
5) Add the following line to your Sendmail "m4" configuration file. (You
DO use the m4 configuration method, right?)
diff -ur ../mimedefang-2.55.orig/configure.in ./configure.in
--- ../mimedefang-2.55.orig/configure.in 2006-01-18 13:54:02.000000000 -0500
+++ ./configure.in 2006-01-24 17:16:21.559921000 -0500
@@ -509,6 +509,7 @@
AC_ARG_ENABLE(nvcc, [ --disable-nvcc Do not include support for Nvcc], ac_cv_nvcc=$enableval, ac_cv_nvcc=yes)
AC_ARG_ENABLE(clamd, [ --disable-clamd Do not include support for clamd], ac_cv_clamd=$enableval, ac_cv_clamd=yes)
AC_ARG_ENABLE(trophie, [ --disable-trophie Do not include support for Trophie], ac_cv_trophie=$enableval, ac_cv_trophie=yes)
+AC_ARG_ENABLE(nod32, [ --disable-nod32 Do not include support for Eset NOD32], ac_cv_nod32=$enableval, ac_cv_nod32=yes)
ANTIVIR_PATH="$PATH:/usr/lib/AntiVir:/usr/local/uvscan:/opt/AVP:/etc/iscan:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bd7:/usr/local/bd7/bin:/opt/kav/bin:/opt/kav/5.5/kav4unix/bin/"
@@ -587,6 +588,10 @@
if test "$ac_cv_trophie" = yes; then
AC_PATH_PROG(TROPHIE, trophie, /bin/false, $ANTIVIR_PATH)
fi
+
+ if test "$ac_cv_nod32" = yes; then
+ AC_PATH_PROG(NOD32, nod32cli, /bin/false, $ANTIVIR_PATH)
+ fi
fi
test -z "$HBEDV" && HBEDV=/bin/false
@@ -607,6 +612,7 @@
test -z "$NVCC" && NVCC=/bin/false
test -z "$CLAMD" && CLAMD=/bin/false
test -z "$TROPHIE" && TROPHIE=/bin/false
+test -z "$NOD32" && NOD32=/bin/false
if test "$ac_cv_debugging" = yes ; then
ENABLE_DEBUGGING=-DENABLE_DEBUGGING
@@ -987,6 +993,17 @@
GOT_VIRUS_SCANNER=1
fi
+ if test "$NOD32" = "/bin/false" ; then
+ if test "$ac_cv_nod32" != "yes" ; then
+ echo "NOD32 'nod32cli' NO (Disabled by configure command)"
+ else
+ echo "NOD32 'nod32cli' NO (not found)"
+ fi
+ else
+ echo "NOD32 'nod32cli' YES - $NOD32"
+ GOT_VIRUS_SCANNER=1
+ fi
+
fi
if test "$GOT_VIRUS_SCANNER" = "0" ; then
diff -ur ../mimedefang-2.55.orig/mimedefang-filter.5.in ./mimedefang-filter.5.in
--- ../mimedefang-2.55.orig/mimedefang-filter.5.in 2006-01-17 18:14:41.000000000 -0500
+++ ./mimedefang-filter.5.in 2006-01-24 17:11:49.302178000 -0500
@@ -784,6 +784,9 @@
$Features{"Virus:TROPHIE"} is the full path to Trophie if it is installed;
0 if it is not.
+$Features{"Virus:NOD32"} is the full path to ESET NOD32 if it is installed;
+0 if it is not.
+
\fBNOTE:\fR Perl-module based features (SpamAssassin, HTMLCleaner and
Virus:FileScan) are determined at runtime and may change as these are added
and removed. Most Virus features are predetermined at the time of
@@ -1843,6 +1846,8 @@
.B message_contains_virus_fprot()
.TP
.B message_contains_virus_fprotd()
+.TP
+.B message_contains_virus_nod32()
These functions should be called in \fBlist context\fR. They use the
indicated anti-virus software to scan the message for viruses. These
@@ -1880,6 +1885,9 @@
.TP
.B f-prot
F-RISK F-PROT - http://www.f-prot.com/
+.TP
+.B nod32
+ESET "NOD" - http://www.eset.com/
.TP
.B message_contains_virus_openantivirus([$host])
@@ -2374,6 +2382,10 @@
Trophie (http://www.vanja.com/tools/trophie/), which uses the libvsapi
library from Trend Micro, is supported in daemon-scanning mode.
+.TP
+.B o
+NOD32 (http://www.eset.com/)
+
.SH AUTHORS
\fBmimedefang\fR was written by David F. Skoll <dfs at roaringpenguin.com>.
The \fBmimedefang\fR home page is \fIhttp://www.mimedefang.org/\fR.
diff -ur ../mimedefang-2.55.orig/mimedefang.pl.in ./mimedefang.pl.in
--- ../mimedefang-2.55.orig/mimedefang.pl.in 2006-01-18 13:54:02.000000000 -0500
+++ ./mimedefang.pl.in 2006-01-24 17:04:20.209126000 -0500
@@ -147,6 +147,7 @@
$Features{'Virus:TREND'} = ('@TREND@' ne '/bin/false' ? '@TREND@' : 0);
$Features{'Virus:TROPHIE'} = ('@TROPHIE@' ne '/bin/false' ? '@TROPHIE@' : 0);
$Features{'Virus:CSAV'} = ('@CSAV@' ne '/bin/false' ? '@CSAV@' : 0);
+$Features{'Virus:NOD32'} = ('@NOD32@' ne '/bin/false' ? '@NOD32@' : 0);
$Features{'Path:SENDMAIL'} = '@SENDMAILPROG@';
$Features{'Path:QUARANTINEDIR'} = '@QDIR@';
@@ -4809,6 +4810,83 @@
return (wantarray ? (999, 'cannot-execute', 'tempfail') : 999);
}
+#***********************************************************************
+# %PROCEDURE: entity_contains_virus_nod32
+# %ARGUMENTS:
+# entity -- a MIME entity
+# %RETURNS:
+# 1 if entity contains a virus as reported by NOD32; 0 otherwise.
+# %DESCRIPTION:
+# Runs the NOD32 program on the entity. (http://www.eset.com)
+#***********************************************************************
+sub entity_contains_virus_nod32 ($) {
+
+ unless($Features{'Virus:NOD32'}) {
+ md_syslog('err', "$MsgID: NOD32 not installed on this system");
+ return (wantarray ? (1, 'not-installed', 'tempfail') : 1);
+ }
+
+ my($entity) = @_;
+ my($body) = $entity->bodyhandle;
+ if (!defined($body)) {
+ return (wantarray ? (0, 'ok', 'ok') : 0);
+ }
+
+ # Get filename
+ my($path) = $body->path;
+ if (!defined($path)) {
+ return (wantarray ? (999, 'swerr', 'tempfail') : 1);
+ }
+
+ # Run NOD32
+ my($code, $category, $action) =
+ run_virus_scanner($Features{'Virus:NOD32'} . " --subdir $path 2>&1", "virus=\"([^\"]+)\"");
+ if ($action ne 'proceed') {
+ return (wantarray ? ($code, $category, $action) : $code);
+ }
+ return (wantarray ? interpret_nod32_code($code) : $code);
+}
+
+#***********************************************************************
+# %PROCEDURE: message_contains_virus_nod32
+# %ARGUMENTS:
+# Nothing
+# %RETURNS:
+# 1 if any file in the working directory contains a virus
+# %DESCRIPTION:
+# Runs the NOD32 program on the working directory
+#***********************************************************************
+sub message_contains_virus_nod32 () {
+
+ unless($Features{'Virus:NOD32'}) {
+ md_syslog('err', "$MsgID: NOD32 not installed on this system");
+ return (wantarray ? (1, 'not-installed', 'tempfail') : 1);
+ }
+
+ # Run nod32
+ my($code, $category, $action) =
+ run_virus_scanner($Features{'Virus:NOD32'} . " --subdir ./Work 2>&1", "virus=\"([^\"]+)\"");
+ return (wantarray ? interpret_nod32_code($code) : $code);
+}
+
+sub interpret_nod32_code ($) {
+ # http://u4.eset.com/manuals/guide_nod32ls.pdf
+ my($code) = @_;
+
+ # OK
+ return ($code, 'ok', 'ok') if ($code == 0);
+
+ # Virus
+ if ($code == 1 or $code == 2) {
+ $VirusName = $1 if ($CurrentVirusScannerMessage =~ m/virus=\"([^\"]+)\"/);
+ $VirusName = "unknown-NOD32-virus" if $VirusName eq "";
+ return ($code, 'virus', 'quarantine');
+ }
+
+ # All other codes should not happen
+ return ($code, 'swerr', 'tempfail');
+}
+
#***********************************************************************
# %PROCEDURE: run_virus_scanner
@@ -7202,6 +7280,11 @@
push @VirusScannerEntityRoutines, \&entity_contains_virus_trend;
}
+ if ($Features{'Virus:NOD32'}) {
+ push @VirusScannerMessageRoutines, \&message_contains_virus_nod32;
+ push @VirusScannerEntityRoutines, \&entity_contains_virus_nod32;
+ }
+
}
#***********************************************************************
More information about the MIMEDefang
mailing list