anomy-list

Re: uvscan with anmomy

From: 49728@xyz.molar.is
Date: Mon 22 Jul 2002 - 21:53:32 UTC

  • Next message: Eric Wieling: "Can't use an undefined value as a symbol reference"

    On Wednesday, July 17, 2002 at 13:20:17, Geoff Seeley wrote:
    >
    > ----- Original Message -----
    > From: "Ron 'The InSaNe OnE' Rosson" <49728@xyz.molar.is>
    > To: <49678@xyz.molar.is>
    > Sent: Wednesday, July 17, 2002 11:36 AM
    > Subject: [anomy-list]: uvscan with anmomy
    >
    >
    > > file_list_4_scanner = 0:5:3,4:/usr/local/bin/uvscan -c %FILENAME
    > > file_list_4_policy = unknown:save:save:save
    > > file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
    > > file_list_4 += |class|upd|wp\d?|m?db
    > > file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
    > > file_list_4 += )(\.g?z|\.bz\d?)*$
    > >
    > > Everything so in the first three rules apears to work. It is
    > > the 4th one that is supposed to kick off the virus scanner.
    > >
    > > I have the klez worm that I have tested uvscan with and it
    > > detects it fine. so when I attach the file to an email and
    > > send it locally thru the unix server anomy never detects the
    > > file is a virus. ( I do not think it is starting the virus
    > > scanner)
    > >
    > > Anyone have any ideas what I am doing wrong.
    >
    > I think it is your exit codes. When I set up my configuration file, I found the
    > exit codes listed in the man page for uvscan and based my configuration on this.
    > Here are the relevant parts:
    >
    > # McAfee VirusScan exit codes mapped to policies
    > #
    > # "accept" if the file is clean (exit status 0)
    > # "mangle" if the file was dirty, but is now clean (19)
    > # "drop!" if the file is still dirty (12 or 13)
    > # "save" if the virscan utility returns some other exit code
    > # or an error occurs.
    > ...
    > # Scan Word,Excel,WordPerfect,Project,Corel Quattropro
    > # SQL, Visio, PDF, Powerpoint
    > # attachments.
    >
    > file_list_3 = (?i)\.(do[tc]|xl[sw]|p[po]t|rtf|wpd|mpp|wb3|sql|vsd|p(df|cx)|pps)$
    > file_list_3_policy = accept:mangle:drop!:save
    > file_list_3_scanner = 0:19:12,13:/opt/uvscan/uvscan --clean %FILENAME
    >

    Ok Tried that and it is still not working.. So I am going to
    include the configuration file along with the procmailrc
    file. Maybe I misread something or missed something.

    <begin anomy configuration>
    #
    # Anomy COnfiguration File 6/16/2002, version 1.2, rlr
    #
    # Do not log to STDERR:
    feat_log_stderr = 0
    # Don't insert log in the message itself:
    feat_log_inline = 0
    # Enable filename based policy decisions:
    feat_files = 1
    # Protect against buffer overflows and null values:
    feat_lengths = 1
    # Replace MIME boundaries with our own:
    feat_boundaries = 1
    # Fix invalid and ambiguous MIME boundaries, if possible:
    feat_fixmime = 1
    # Trust signed and/or encrypted messages:
    feat_trust_pgp = 1
    msg_pgp_warning = WARNING: Unsanitized content follows.\n
    # Defang shell scripts:
    feat_scripts = 0
    # Defang active HTML:
    feat_html = 1
    # Defang UUEncoded files:
    feat_uuencoded = 0
    # Sanitize forwarded content too:
    feat_forwards = 1
    # Testing? Set to 1 for testing, 0 for production:
    feat_testing = 0
    # # Warn user about unscanned parts, etc.
    feat_verbose = 1
    # Force all parts (except text/html parts) to
    # have file names.
    feat_force_name = 1
    # Disable web bugs:
    feat_webbugs = 1
    # Disable "score" based mail discarding:
    score_panic = 0
    score_bad = 0
    msg_file_drop = \n*****\n
    msg_file_drop += NOTE: An attachment named %FILENAME was deleted from
    msg_file_drop += this message because was a windows executable.
    msg_file_drop += Contact the system administrator for more information.
    ##
    ## File attachment name mangling rules:
    ##
    file_name_tpl = /var/quarantine/att-$F-$T.$$
    # Number of rulesets we are defining:
    file_list_rules = 4
    file_default_policy = defang
    # Delete probably nasty attachments:
    file_list_1_scanner = 0
    file_list_1_policy = drop
    file_list_1 = (?i)(winmail.dat)|
    file_list_1 += (\.(vb[se]|exe|com|cab|dll|ocx|msi|cmd|bat|pif|lnk|hlp|ms[ip]|reg|asd))$
    # Allow known "safe" file types and those that can be
    # scanned by the downstream virus scanner:
    file_list_2_scanner = 0
    file_list_2_policy = accept
    file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx)|bmp
    file_list_2 += |mp[32]|wav|au|ram?
    file_list_2 += |avi|mov|mpe?g
    file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
    file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
    file_list_2 += |[ja]sp
    file_list_2 += |can|pos|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$

    file_list_3_scanner = 0
    file_list_3_policy = accept
    file_list_3 = ^[^\.]+$

    # Archives and scriptable stuff - virus scan these.
    # NOTE: There must be THREE groups of exit codes and FOUR policies,
    # - the first three match the code groups, the fourth is default.
    #
    file_list_4_scanner = 0:19:12,13:/usr/local/bin/uvscan --clean %FILENAME
    file_list_4_policy = accept:mangle:drop!:save
    file_list_4 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
    file_list_4 += |class|upd|wp\d?|m?db
    file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
    file_list_4 += )(\.g?z|\.bz\d?)*$

    # Any attachment not listed above gets renamed.

    <end anomy configuration>

    <begin procmailrc>
    #LOGFILE=/var/log/anomy.log
    #LOGABSTRACT=all
    #VERBOSE=yes

    PATH="/usr/bin:$PATH:/usr/local/bin"
    SHELL=/bin/sh

    # Call Anomy
    ANOMY=/usr/local/anomy/
    :0fw
    | /usr/local/anomy/bin/sanitizer.pl /usr/local/etc/anomy.conf

    # Call Spam Assassin
    :0fw
    | spamc -f

    :0e
    {
       EXITCODE=$?
    }
    <end procmailrc>

    TIa



    hosted by molar.is