anomy-list

Anomy / F-Prot problem of return code

From: Fabian Zihlmann (63695@xyz.molar.is)
Date: Sun 10 Nov 2002 - 12:24:02 GMT

  • Next message: Ryan van Rensburg: "Word Wrapping"

    Hi

    1. I've got a problem with anomy and f-prot. I'm using f-prot for linux
    small business (not the daemonized version).
    If I send a mail through the pipe, I never get an attached file scaned
    for virus correctly. All the time the log says
    "Scan succeeded, file is clean". For example I attached "eicar.com"
    (Eicar-Teststring) to the mail ther is no warning,
    if I check the file on the command line I get returned "VIRUS :
    EICAR_Test_File" by the script.

    2. As you can see on my log, there is all the time a file called
    "unnamed.txt" that is scanned. Why that?

    Can anybody help? I think there is a problem with the returncode of
    check_for_virus, that Sanitizer.pm don't get
    the right code (0 for clean, 2 for disinfected, 3 for infected). I'm
    aware that it's not possible to disinfect the attachment
    with the not daemonized version of f-prot but I should at least get the
    returncode 0 or 3.

    Thanx a lot for any help.

    Fabian Zihlmann

    Here my configuration:

    Anomy Sanitizer Version 1.56
    F-Prot Version 3.12b

    ***** anomy.conf *******************************
    feat_boundaries = 0
    feat_files = 1
    feat_forwards = 1
    feat_html = 1
    feat_lengths = 1
    feat_log_inline = 1
    feat_log_stderr = 1
    feat_fixmime = 1
    feat_scripts = 1
    feat_trust_pgp = 0
    feat_uuencoded = 0
    feat_verbose = 1
    feat_force_name = 1
    feat_webbugs = 1
    file_list_rules = 1

    file_default_filename = unnamed.fil

    file_name_tpl = /var/spool/filter/att-$F-$T.$$

    file_list_1_scanner = 0:2:3:/usr/local/vscan/check_for_virus %FILENAME
    file_list_1_policy = accept:defang:save:save
    file_list_1 = .*

    file_default_policy = defang
    ***********************************************

    ****** anomy.log ********************************
    Sanitizer (start="1036929602"):
      Part (pos="891"):
        SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
          Match (rule="1"):
            ScanFile (file="/var/spool/filter/att-unnamed.txt-3dce4a4a.G4"):
              Scan succeeded, file is clean.

            Enforced policy: accept

      Part (pos="1027"):
        SanitizeFile (filename="eicar.com",
    mimetype="application/octet-stream"):
          Match (rule="1"):
            ScanFile (file="/var/spool/filter/att-eicar.com-3dce4a4b.CO"):
              Scan succeeded, file is clean.

            Enforced policy: accept
    *************************************************
    ***** check_for_virus ******************************
    #!/bin/sh

    # Script for the Sanitizer (procmail filter)
    # Using either F-PROT, AVP, Sweep or VirusScan antivirus systems
    # Version: 1.01, Xavier Roche/Serianet
    # Usage: /etc/procmail/check_for_virus <filename>
    # Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
    # Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
    # This script is under GPL

    ##############################################################################
    # Instructions (copied from e-mail from Xavier by Bjarni):
    #
    # I tested various AV systems (avp, f-prot..) and attached to this mail
    # a simple script which recognizes the four most used av scanners on
    # linux systems (the script can be freely used and spread, of course).
    #
    # The use is simple: check_for_virus <filename>
    # which will return 0 (OK), 2 (warning), or 3 (danger)
    #
    # For example, I use the main policy:
    #
    # file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
    # file_list_1_policy = unknown:mangle:save:save
    # file_list_1 = (?i).*
    #

    logger "check $1"

    if test -n "$1"; then
    if test -f "$1"; then

    RET=0

    # F-PROT (FRISK Software F-Prot Antivirus for Linux)
    if test -x /usr/local/bin/f-prot; then
        STATUS=
        /usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE -PACKED "$1"
    2>/dev/null >/dev/null
        RETURNCODE=$?
        if test $RETURNCODE -eq 3; then
            STATUS="virus found"
            RET=3
        fi
        if test -n "$STATUS"; then
            INFO=`/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE
    -PACKED "$1" 2>/dev/null | grep -iE "infection:"|sed -e
    's/.*infection:\(.*\)/\1/i' -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
            logger "virus check for $1: VIRUS FOUND!! - $INFO"
            echo "VIRUS : $INFO"
        else
            logger "virus check for $1: ok"
            echo "CLEAN : OK"
        fi
    # AVP (Kaspersky Anti-Virus for Linux)
    elif test -x /usr/bin/kavscanner; then
        STATUS=
        /usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null >/dev/null
        RETURNCODE=$?
        if test $RETURNCODE -eq 2; then
            STATUS="suspicious file, maybe altered virus"
            RET=2
        elif test $RETURNCODE -eq 3; then
            STATUS="suspicious file"
            RET=2
        elif test $RETURNCODE -eq 4; then
            STATUS="virus found"
            RET=3
        fi
        if test -n "$STATUS"; then
            INFO=`/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null | grep -iE
    "infected:"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
            echo "VIRUS : $INFO"
            logger "virus check for $1: VIRUS FOUND!! - $INFO"
        else
            logger "virus check for $1: ok"
            echo "CLEAN : OK"
        fi
    # Sophos Sweep Antivirus (SWEEP virus detection utility 3.47)
    elif test -x /usr/local/bin/sweep; then
        /usr/local/bin/sweep -ndi -s -ss -archive --no-follow-symlinks
    --skip-special --no-quarantine "$1" 2>/dev/null >/dev/null
        if test $? -eq 3; then
            INFO=`/usr/local/bin/sweep -ndi -s -ss -archive
    --no-follow-symlinks --skip-special --no-quarantine "$1" 2>/dev/null |
    grep -iE "Found.*virus"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
            echo "VIRUS : test $INFO"
            logger "virus check for $1: VIRUS FOUND!! - $INFO"
            RET=3
        else
            logger "virus check for $1: ok"
            echo "CLEAN : OK"
        fi
    # NAI VirusScan (McAfee VirusScan for Unix Linux 4.14.0)
    elif test -x /usr/local/bin/uvscan; then
        /usr/local/bin/uvscan --analyze --noexpire "$1" 2>/dev/null >/dev/null
        if test $? -eq 13; then
            INFO=`/usr/local/bin/uvscan --analyze --noexpire "$1"
    2>/dev/null | grep -iE "Found.*virus"|sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
            echo "VIRUS : $INFO"
            logger "virus check for $1: VIRUS FOUND!! - $INFO"
            RET=3
        else
            logger "virus check for $1: ok"
            echo "CLEAN : OK"
        fi
    fi
    exit $RET

    fi
    fi
    echo "ERROR"
    export RET
    exit 0
    **************************************************************
    ***** filter.sh ***** called by master.cf of postfix
    ***********************
    #!/bin/sh
    #
    # filter.sh
    #
    # Simple filter to plug Anomy Sanitizer and SpamAssassin
    # into the Postfix MTA
    #
    # From http://advosys.ca/papers/postfix-filtering.html
    # Advosys Consulting Inc., Ottawa
    #
    # For use with:
    # Postfix 20010228 or later
    # Anomy Sanitizer revision 1.49 or later
    # SpamAssassin 2.42 or later
    #
    # Note: Modify the file locations to match your particular
    # server and installation of SpamAssassin.

    # File locations:
    # (CHANGE AS REQUIRED TO MATCH YOUR SERVER)
    INSPECT_DIR=/var/spool/filter
    SENDMAIL=/usr/sbin/sendmail
    ANOMY=/usr/local/anomy
    ANOMY_CONF=/usr/local/anomy/anomy.conf
    SPAMASSASSIN=/usr/bin/spamc
    LOG=/usr/local/anomy/log/anomy.log

    export ANOMY

    # Exit codes from <sysexits.h>
    EX_TEMPFAIL=75
    EX_UNAVAILABLE=69

    cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

    # Clean up when done or when aborting.
    trap "rm -f in.$$; rm -f out.$$" 0 1 2 3 15

    cat | $SPAMASSASSIN | $ANOMY/bin/sanitizer.pl $ANOMY_CONF 2>> $LOG >
    out.$$ || { echo Message content rejected; exit $EX_UNAVAILABLE; }
      

    $SENDMAIL "$@" < out.$$

    exit $?
    *******************************************************



    hosted by molar.is