anomy-list

Re: uvscan with anmomy

From: Rick Johnson (50704@xyz.molar.is)
Date: Wed 14 Aug 2002 - 23:12:18 UTC

  • Next message: domino: "Re: Insecure dependency"

    Think I figured it out - for some reason drop was okay, but drop! forces a
    non-zero error code, which procmail interprets as a failure.

    Note to others - ! is not a good idea w/ procmail.

    -Rick
    -------------------------------------------------------
    Rick Johnson, Red Hat Certified Engineer - 50704@xyz.molar.is
    Linux/WAN Administrator - Medata, Inc.
    ----- Original Message -----
    From: "Rick Johnson" <50704@xyz.molar.is>
    To: <50743@xyz.molar.is>
    Sent: Wednesday, August 14, 2002 3:13 PM
    Subject: Re: [anomy-list]: uvscan with anmomy

    I know this is an older thread.

    Today I attempted to use uvscan as listed in this thread. While uvscan is
    detecting and cleaning or erroring on the virus, sanitizer is returning a
    non-zero return code, and procmail is interpreting it as a program failure.
    At that point, it recovers the prefiltered mail, and sends the attachment
    uncleaned.

    The log entry states:

    Sanitizer (start="1029362944"):
      Part (pos="1020"):
        SanitizeFile (filename="unnamed.txt", mimetype="TEXT/PLAIN"):
          Match (rule="2"):
            Enforced policy: accept

      Part (pos="1113"):
        SanitizeFile (filename="eicar2.zip", mimetype="APPLICATION/zip"):
          Match (rule="3"):
            ScanFile (file="/var/quarantine/att-eicar2.zip-3d5ad500.AH"):
              File was infected, the virus checker couldn't fixed it.

            Enforced policy: drop

          Replaced mime type with: text/plain
          Replaced file name with: RENAME_FILE_TO_USE-43960.txt

    Total modifications so far: 1
    procmail: Program failure (1) of "/usr/local/anomy/bin/sanitizer.pl"
    procmail: Rescue of unfiltered data succeeded

    My sanitizer config lines which affect scanning:

    file_list_3_scanner =
    0:19:12,13:/usr/local/bin/uvscan --clean --noexpire --analyze --panalyze --u
    nzip %FILENAME
    file_list_3_policy = accept:mangle:drop!:save
    file_list_3 = (?i)\.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?
    file_list_3 += |class|upd|wp\d?|m?db|snp|vsd
    file_list_3 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
    file_list_3 += )(\.g?z|\.bz\d?)*\.?$

    # uvscan returns 0 clean, 19 infected, but cleaned, 12 or 13 for infected
    file_list_4_scanner =
    0:19:12,13:/usr/local/bin/uvscan --clean --noexpire --analyze --panalyze --u
    nzip %FILENAME
    file_list_4_policy = accept:mangle:drop!:save
    file_list_4 = ^[^\.]+$

    Any thoughts on what I can change so that procmail still receives a returned
    zero?

    -Rick

    -------------------------------------------------------
    Rick Johnson, Red Hat Certified Engineer - 50704@xyz.molar.is
    Linux/WAN Administrator - Medata, Inc.
    ----- Original Message -----
    From: "Ron 'The InSaNe OnE' Rosson" <50793@xyz.molar.is>
    To: "alex morris" <50833@xyz.molar.is>
    Cc: <50743@xyz.molar.is>
    Sent: Thursday, July 25, 2002 9:50 AM
    Subject: Re: [anomy-list]: uvscan with anmomy

    Using the bash script below and sending test e-mails here is
    what I have:

    procmail log output:

    procmail: [20487] Thu Jul 25 09:47:09 2002
    procmail: Assigning
    "PATH=/usr/bin:/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin:/usr/local/bin"
    procmail: Assigning "SHELL=/bin/sh"
    procmail: Assigning "ANOMY=/usr/local/anomy/"
    procmail: Executing
    "/usr/local/anomy/bin/sanitizer.pl,/usr/local/etc/anomy.conf"

    Current procmailrc:
    LOGFILE=/var/log/anomy.log
    LOGABSTRACT=all
    VERBOSE=yes

    PATH="/usr/bin:$PATH:/usr/local/bin"
    SHELL=/bin/sh

    # Call Anomy
    ANOMY=/usr/local/anomy/
    :0fw
    | /usr/local/anomy/bin/sanitizer.pl /usr/local/etc/anomy.conf

    Virus scanner is still not kicking off so to speak.

    Any Ideas?

    TIA

    On Wednesday, July 24, 2002 at 21:34:40, alex morris wrote:
    > The only way to know what is going on is to somehow trap the exit codes
    > from the scanner, and compare them to what you told the sanitizer to do.
    >
    > I would temporarily eliminate the spam assasin to simplify the problem.
    > I would then make a wrapper script around the virus scan command you
    > call within the sanitizer to trap the error codes. Something like
    >
    > /usr/local/bin/uvscan.sh
    >
    > #!/bin/bash -xv
    > bc=$?
    > /usr/local/bin/uvscan -c $1
    > ac=$?
    > echo "before was $bc, after was $ac"
    >
    > You should now be able to see the exit codes the scanner returns for the
    > various conditions.
    >
    > I would also suggest making your policy
    >
    > file_list_4_policy = accept:save:save:save
    >
    > Deleting attachments out of hand isn't the right thing to do, but
    > niether is accepting something that is still potentially harmful.
    >
    > If that doesn't work, you might try changing your command line to use
    > the --clean flag instead of just -c, like Geoff suggested.
    >
    > alex
    >
    >
    > 50793@xyz.molar.is wrote:
    >
    > > On Wednesday, July 17, 2002 at 13:20:17, Geoff Seeley wrote:
    > >
    > > ----- Original Message -----
    > > From: "Ron 'The InSaNe OnE' Rosson" <50793@xyz.molar.is>
    > > To: <50743@xyz.molar.is>
    > > Sent: Wednesday, July 17, 2002 11:36 AM
    > > Subject: [anomy-list]: uvscan with anmomy
    > >
    > > Ok Tried that and it is still not working.. So I am going to
    > > include the configuration file along with the procmailrc
    > > file. Maybe I misread something or missed something.
    > >
    > > <begin anomy configuration>
    > > #
    >

    --
    ----------------------------------------------------------------------------
    --
    Ron Rosson                                    ... and a UNIX user said ...
    The InSaNe One                                        rm -rf *
    50793@xyz.molar.is                        and all was /dev/null and
    *void()
    ----------------------------------------------------------------------------
    --
    



    hosted by molar.is