Hi
1. I've got a problem with anomy and f-prot. I'm using f-prot for linux
small business (not the daemonized version).
If I send a mail through the pipe, I never get an attached file scaned
for virus correctly. All the time the log says
"Scan succeeded, file is clean". For example I attached "eicar.com"
(Eicar-Teststring) to the mail ther is no warning,
if I check the file on the command line I get returned "VIRUS :
EICAR_Test_File" by the script.
2. As you can see on my log, there is all the time a file called
"unnamed.txt" that is scanned. Why that?
Can anybody help? I think there is a problem with the returncode of
check_for_virus, that Sanitizer.pm don't get
the right code (0 for clean, 2 for disinfected, 3 for infected). I'm
aware that it's not possible to disinfect the attachment
with the not daemonized version of f-prot but I should at least get the
returncode 0 or 3.
Thanx a lot for any help.
Fabian Zihlmann
Here my configuration:
Anomy Sanitizer Version 1.56
F-Prot Version 3.12b
***** anomy.conf *******************************
feat_boundaries = 0
feat_files = 1
feat_forwards = 1
feat_html = 1
feat_lengths = 1
feat_log_inline = 1
feat_log_stderr = 1
feat_fixmime = 1
feat_scripts = 1
feat_trust_pgp = 0
feat_uuencoded = 0
feat_verbose = 1
feat_force_name = 1
feat_webbugs = 1
file_list_rules = 1
file_default_filename = unnamed.fil
file_name_tpl = /var/spool/filter/att-$F-$T.$$
file_list_1_scanner = 0:2:3:/usr/local/vscan/check_for_virus %FILENAME
file_list_1_policy = accept:defang:save:save
file_list_1 = .*
file_default_policy = defang
***********************************************
****** anomy.log ********************************
Sanitizer (start="1036929602"):
Part (pos="891"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (rule="1"):
ScanFile (file="/var/spool/filter/att-unnamed.txt-3dce4a4a.G4"):
Scan succeeded, file is clean.
Enforced policy: accept
Part (pos="1027"):
SanitizeFile (filename="eicar.com",
mimetype="application/octet-stream"):
Match (rule="1"):
ScanFile (file="/var/spool/filter/att-eicar.com-3dce4a4b.CO"):
Scan succeeded, file is clean.
Enforced policy: accept
*************************************************
***** check_for_virus ******************************
#!/bin/sh
# Script for the Sanitizer (procmail filter)
# Using either F-PROT, AVP, Sweep or VirusScan antivirus systems
# Version: 1.01, Xavier Roche/Serianet
# Usage: /etc/procmail/check_for_virus <filename>
# Returns: "CLEAN : OK" | "VIRUS : <information>" | "ERROR"
# Exitcode: 0=OK 2=SUSPICIOUS 3=VIRUS
# This script is under GPL
##############################################################################
# Instructions (copied from e-mail from Xavier by Bjarni):
#
# I tested various AV systems (avp, f-prot..) and attached to this mail
# a simple script which recognizes the four most used av scanners on
# linux systems (the script can be freely used and spread, of course).
#
# The use is simple: check_for_virus <filename>
# which will return 0 (OK), 2 (warning), or 3 (danger)
#
# For example, I use the main policy:
#
# file_list_1_scanner = 0:2:3:/etc/procmail/check_for_virus %FILENAME
# file_list_1_policy = unknown:mangle:save:save
# file_list_1 = (?i).*
#
logger "check $1"
if test -n "$1"; then
if test -f "$1"; then
RET=0
# F-PROT (FRISK Software F-Prot Antivirus for Linux)
if test -x /usr/local/bin/f-prot; then
STATUS=
/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE -PACKED "$1"
2>/dev/null >/dev/null
RETURNCODE=$?
if test $RETURNCODE -eq 3; then
STATUS="virus found"
RET=3
fi
if test -n "$STATUS"; then
INFO=`/usr/local/bin/f-prot -NOBOOT -NOMEM -NOSUB -ARCHIVE
-PACKED "$1" 2>/dev/null | grep -iE "infection:"|sed -e
's/.*infection:\(.*\)/\1/i' -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
logger "virus check for $1: VIRUS FOUND!! - $INFO"
echo "VIRUS : $INFO"
else
logger "virus check for $1: ok"
echo "CLEAN : OK"
fi
# AVP (Kaspersky Anti-Virus for Linux)
elif test -x /usr/bin/kavscanner; then
STATUS=
/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null >/dev/null
RETURNCODE=$?
if test $RETURNCODE -eq 2; then
STATUS="suspicious file, maybe altered virus"
RET=2
elif test $RETURNCODE -eq 3; then
STATUS="suspicious file"
RET=2
elif test $RETURNCODE -eq 4; then
STATUS="virus found"
RET=3
fi
if test -n "$STATUS"; then
INFO=`/usr/bin/kavscanner -LP -I0 "$1" 2>/dev/null | grep -iE
"infected:"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
echo "VIRUS : $INFO"
logger "virus check for $1: VIRUS FOUND!! - $INFO"
else
logger "virus check for $1: ok"
echo "CLEAN : OK"
fi
# Sophos Sweep Antivirus (SWEEP virus detection utility 3.47)
elif test -x /usr/local/bin/sweep; then
/usr/local/bin/sweep -ndi -s -ss -archive --no-follow-symlinks
--skip-special --no-quarantine "$1" 2>/dev/null >/dev/null
if test $? -eq 3; then
INFO=`/usr/local/bin/sweep -ndi -s -ss -archive
--no-follow-symlinks --skip-special --no-quarantine "$1" 2>/dev/null |
grep -iE "Found.*virus"|sed -e 's/^[ \>]*//g' -e 's/[ ]*$//g'`
echo "VIRUS : test $INFO"
logger "virus check for $1: VIRUS FOUND!! - $INFO"
RET=3
else
logger "virus check for $1: ok"
echo "CLEAN : OK"
fi
# NAI VirusScan (McAfee VirusScan for Unix Linux 4.14.0)
elif test -x /usr/local/bin/uvscan; then
/usr/local/bin/uvscan --analyze --noexpire "$1" 2>/dev/null >/dev/null
if test $? -eq 13; then
INFO=`/usr/local/bin/uvscan --analyze --noexpire "$1"
2>/dev/null | grep -iE "Found.*virus"|sed -e 's/^[ ]*//g' -e 's/[ ]*$//g'`
echo "VIRUS : $INFO"
logger "virus check for $1: VIRUS FOUND!! - $INFO"
RET=3
else
logger "virus check for $1: ok"
echo "CLEAN : OK"
fi
fi
exit $RET
fi
fi
echo "ERROR"
export RET
exit 0
**************************************************************
***** filter.sh ***** called by master.cf of postfix
***********************
#!/bin/sh
#
# filter.sh
#
# Simple filter to plug Anomy Sanitizer and SpamAssassin
# into the Postfix MTA
#
# From http://advosys.ca/papers/postfix-filtering.html
# Advosys Consulting Inc., Ottawa
#
# For use with:
# Postfix 20010228 or later
# Anomy Sanitizer revision 1.49 or later
# SpamAssassin 2.42 or later
#
# Note: Modify the file locations to match your particular
# server and installation of SpamAssassin.
# File locations:
# (CHANGE AS REQUIRED TO MATCH YOUR SERVER)
INSPECT_DIR=/var/spool/filter
SENDMAIL=/usr/sbin/sendmail
ANOMY=/usr/local/anomy
ANOMY_CONF=/usr/local/anomy/anomy.conf
SPAMASSASSIN=/usr/bin/spamc
LOG=/usr/local/anomy/log/anomy.log
export ANOMY
# Exit codes from <sysexits.h>
EX_TEMPFAIL=75
EX_UNAVAILABLE=69
cd $INSPECT_DIR || { echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
# Clean up when done or when aborting.
trap "rm -f in.$$; rm -f out.$$" 0 1 2 3 15
cat | $SPAMASSASSIN | $ANOMY/bin/sanitizer.pl $ANOMY_CONF 2>> $LOG >
out.$$ || { echo Message content rejected; exit $EX_UNAVAILABLE; }
$SENDMAIL "$@" < out.$$
exit $?
*******************************************************