On Wednesday, July 17, 2002 at 13:20:17, Geoff Seeley wrote:
>
> ----- Original Message -----
> From: "Ron 'The InSaNe OnE' Rosson" <49728@xyz.molar.is>
> To: <49678@xyz.molar.is>
> Sent: Wednesday, July 17, 2002 11:36 AM
> Subject: [anomy-list]: uvscan with anmomy
>
>
> > file_list_4_scanner = 0:5:3,4:/usr/local/bin/uvscan -c %FILENAME
> > file_list_4_policy = unknown:save:save:save
> > file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
> > file_list_4 += |class|upd|wp\d?|m?db
> > file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
> > file_list_4 += )(\.g?z|\.bz\d?)*$
> >
> > Everything so in the first three rules apears to work. It is
> > the 4th one that is supposed to kick off the virus scanner.
> >
> > I have the klez worm that I have tested uvscan with and it
> > detects it fine. so when I attach the file to an email and
> > send it locally thru the unix server anomy never detects the
> > file is a virus. ( I do not think it is starting the virus
> > scanner)
> >
> > Anyone have any ideas what I am doing wrong.
>
> I think it is your exit codes. When I set up my configuration file, I found the
> exit codes listed in the man page for uvscan and based my configuration on this.
> Here are the relevant parts:
>
> # McAfee VirusScan exit codes mapped to policies
> #
> # "accept" if the file is clean (exit status 0)
> # "mangle" if the file was dirty, but is now clean (19)
> # "drop!" if the file is still dirty (12 or 13)
> # "save" if the virscan utility returns some other exit code
> # or an error occurs.
> ...
> # Scan Word,Excel,WordPerfect,Project,Corel Quattropro
> # SQL, Visio, PDF, Powerpoint
> # attachments.
>
> file_list_3 = (?i)\.(do[tc]|xl[sw]|p[po]t|rtf|wpd|mpp|wb3|sql|vsd|p(df|cx)|pps)$
> file_list_3_policy = accept:mangle:drop!:save
> file_list_3_scanner = 0:19:12,13:/opt/uvscan/uvscan --clean %FILENAME
>
Ok Tried that and it is still not working.. So I am going to
include the configuration file along with the procmailrc
file. Maybe I misread something or missed something.
<begin anomy configuration>
#
# Anomy COnfiguration File 6/16/2002, version 1.2, rlr
#
# Do not log to STDERR:
feat_log_stderr = 0
# Don't insert log in the message itself:
feat_log_inline = 0
# Enable filename based policy decisions:
feat_files = 1
# Protect against buffer overflows and null values:
feat_lengths = 1
# Replace MIME boundaries with our own:
feat_boundaries = 1
# Fix invalid and ambiguous MIME boundaries, if possible:
feat_fixmime = 1
# Trust signed and/or encrypted messages:
feat_trust_pgp = 1
msg_pgp_warning = WARNING: Unsanitized content follows.\n
# Defang shell scripts:
feat_scripts = 0
# Defang active HTML:
feat_html = 1
# Defang UUEncoded files:
feat_uuencoded = 0
# Sanitize forwarded content too:
feat_forwards = 1
# Testing? Set to 1 for testing, 0 for production:
feat_testing = 0
# # Warn user about unscanned parts, etc.
feat_verbose = 1
# Force all parts (except text/html parts) to
# have file names.
feat_force_name = 1
# Disable web bugs:
feat_webbugs = 1
# Disable "score" based mail discarding:
score_panic = 0
score_bad = 0
msg_file_drop = \n*****\n
msg_file_drop += NOTE: An attachment named %FILENAME was deleted from
msg_file_drop += this message because was a windows executable.
msg_file_drop += Contact the system administrator for more information.
##
## File attachment name mangling rules:
##
file_name_tpl = /var/quarantine/att-$F-$T.$$
# Number of rulesets we are defining:
file_list_rules = 4
file_default_policy = defang
# Delete probably nasty attachments:
file_list_1_scanner = 0
file_list_1_policy = drop
file_list_1 = (?i)(winmail.dat)|
file_list_1 += (\.(vb[se]|exe|com|cab|dll|ocx|msi|cmd|bat|pif|lnk|hlp|ms[ip]|reg|asd))$
# Allow known "safe" file types and those that can be
# scanned by the downstream virus scanner:
file_list_2_scanner = 0
file_list_2_policy = accept
file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx)|bmp
file_list_2 += |mp[32]|wav|au|ram?
file_list_2 += |avi|mov|mpe?g
file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
file_list_2 += |[ja]sp
file_list_2 += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$
file_list_3_scanner = 0
file_list_3_policy = accept
file_list_3 = ^[^\.]+$
# Archives and scriptable stuff - virus scan these.
# NOTE: There must be THREE groups of exit codes and FOUR policies,
# - the first three match the code groups, the fourth is default.
#
file_list_4_scanner = 0:19:12,13:/usr/local/bin/uvscan --clean %FILENAME
file_list_4_policy = accept:mangle:drop!:save
file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
file_list_4 += |class|upd|wp\d?|m?db
file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
file_list_4 += )(\.g?z|\.bz\d?)*$
# Any attachment not listed above gets renamed.
<end anomy configuration>
<begin procmailrc>
#LOGFILE=/var/log/anomy.log
#LOGABSTRACT=all
#VERBOSE=yes
PATH="/usr/bin:$PATH:/usr/local/bin"
SHELL=/bin/sh
# Call Anomy
ANOMY=/usr/local/anomy/
:0fw
| /usr/local/anomy/bin/sanitizer.pl /usr/local/etc/anomy.conf
# Call Spam Assassin
:0fw
| spamc -f
:0e
{
EXITCODE=$?
}
<end procmailrc>
TIa