uvscan with anmomy

From: Ron 'The InSaNe OnE' Rosson (
Date: Wed 17 Jul 2002 - 18:36:12 UTC

  • Next message: Geoff Seeley: "Re: uvscan with anmomy"

    I am trying to get uvscan to work with my newly installed
    anomy. Here is what I have so far for the file_rules:

    ## File attachment name mangling rules:

    file_name_tpl = /var/quarantine/att-$F-$T.$$

    # Number of rulesets we are defining:
    file_list_rules = 4
    file_default_policy = defang

    # Delete probably nasty attachments:
    file_list_1_scanner = 0
    file_list_1_policy = drop
    file_list_1 = (?i)(winmail.dat)|
    file_list_1 += (\.(vb[se]|exe|com|cab|dll|ocx|msi|cmd|bat|pif|lnk|hlp|ms[ip]|reg

    # Allow known "safe" file types and those that can be
    # scanned by the downstream virus scanner:
    file_list_2_scanner = 0
    file_list_2_policy = accept
    file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx)|bmp
    file_list_2 += |mp[32]|wav|au|ram?
    file_list_2 += |avi|mov|mpe?g
    file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
    file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
    file_list_2 += |[ja]sp
    file_list_2 += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$

    file_list_3_scanner = 0
    file_list_3_policy = accept
    file_list_3 = ^[^\.]+$

    # Archives and scriptable stuff - virus scan these.
    # NOTE: There must be THREE groups of exit codes and FOUR policies,
    # - the first three match the code groups, the fourth is default.
    file_list_4_scanner = 0:5:3,4:/usr/local/bin/uvscan -c %FILENAME
    file_list_4_policy = unknown:save:save:save
    file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
    file_list_4 += |class|upd|wp\d?|m?db
    file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
    file_list_4 += )(\.g?z|\.bz\d?)*$

    # Any attachment not listed above gets renamed.

    Everything so in the first three rules apears to work. It is
    the 4th one that is supposed to kick off the virus scanner.

    I have the klez worm that I have tested uvscan with and it
    detects it fine. so when I attach the file to an email and
    send it locally thru the unix server anomy never detects the
    file is a virus. ( I do not think it is starting the virus

    Anyone have any ideas what I am doing wrong.


    Ron Rosson                                    ... and a UNIX user said ...
    The InSaNe One                                        rm -rf *                        and all was /dev/null and *void()

    hosted by